RU Liable If Someone Does Something Illegal On Your WiFi?

JDMurray

This short article--followed by many comments--on techdirt brings up the reality that all the people who share their Internet connection via a wireless router might be setting themselves up for lawsuits by unwittingly aiding people in committing Internet crimes.

Unscrupulous people may leave their wireless LANs open to public access to cover up their own illegal tracks. The logic is that if their WLAN is open to the public, law enforcement can't prove with certainty that the illegal activity originated from the owner of the WLAN. However, finding the actual perpetrator of a crime will be all that's necessary to get a warrant for seizing all of the WLAN owner's computer equipment, after which the determination can usually be easily made.

There is also a mistaken impression that an open, wireless Internet connection somehow bestows immunity from liability via the Communications Decency Act (CDA) like it does for ISPs. However, sharing your Internet connection wirelessly with the neighborhood doesn't make you an ISP, and therefore doing so does not give protection under the CDA. And, as pointed out in the article's comments, the CDA offers no protection against intellectual property claims (e.g., copyright and trademark infringement) or criminal liability.

The real reason that you should not make your Internet connection wirelessly available to your entire apartment building or neighborhood is that your ISP's residential usage agreement probably doesn't allow you to this. It is likely that your ISP regards such activity as a sufficient reason to immediately and permanently terminate your Internet service.

http://www.techdirt.com/articles/20060320/1636238.shtml

drainey

Very good point JD.

Not to mention that I for one don't want to find myself trying to explain to my family, friends, boss, people at church, pastor, etc. why I'm being investigated for Child **** viewed via my wireless link. Even if I know they won't find anything on my pc's, the stigma will remain for a long time.

DarklyWise

Good point - while my wireless connection isn't the most secure, at least I have encryption and a mac table setup - it's better than nothing, at least I'm trying!!

Mister Multipath

I recommend to all clients that they properly secure their wireless networks using strong encryption such as CCMP/AES and mutual authenication such as PEAP or TTLS.

Most businesses do like to have a "guest" wireless network available with no security that allows guests access to a gateway to the Internet howver all other network resources are unavailable.

Using wireless VLANs gives you the ability to run multiple security schemes including an unsecure "guest" wireless VLAN.

I HIGHLY recommeded that all "guest" users must first login through a captive portal web page. The only purpose for the guest login is that the captve portal web page will have a BIG DISCLAIMER written by a really good lawyer so that other bloodsucking lawyers do not come after your company's money in case a guest user does something illegal via your guest wireless LAN or something happens to the guest user while he/she is using the guest wireless connection

sprkymrk

DarklyWise wrote:

Good point - while my wireless connection isn't the most secure, at least I have encryption and a mac table setup - it's better than nothing, at least I'm trying!!

For most home connections, that's good enough. While a slick war driver can still bypass that kind of security (you don't mention what level of encryption you are using) it will still protect you in court, as the mere fact that you are using any encryption at all (even the almost-worthless WEP encryption) assumes a level of privacy and that the network is not intended for public use. It is actually more solid in court than a simple login banner/disclaimer.

Mister Multipath

sprkymrk wrote:

For most home connections, that's good enough. While a slick war driver can still bypass that kind of security (you don't mention what level of encryption you are using) it will still protect you in court, as the mere fact that you are using any encryption at all (even the almost-worthless WEP encryption) assumes a level of privacy and that the network is not intended for public use. It is actually more solid in court than a simple login banner/disclaimer.

You should always encrypt your home connection as well as take other security measures. And in the enterprise, you should always be protecting your VoIP and data communications with strong encryption.

But in the business world, there is often a need for a "GUEST" wireless network with no encryption at all to make it easy for guest users to connect. The captive portal is what protects you legally because no encryption solution is provided. All the major hotspot providers all provide absolutely zero in way of security but they always have a captive portal with a disclaimer to protect themselves legally.

JDMurray

There was a lot of discussion a while ago about the concept of leaving your home wireless network's Internet connection open and publicly accessible to establish "plausible deniability" in case you are hit with a cease-and-desist-order from the MPAA or RIAA. You can then claim (in a court of law) that you have no idea who was downloading movie or music files via your wireless network connection, but it wasn't you. It isn't illegal to maintain an open Wi-fi connection to the Internet, although it is likely a violation of your ISP's customer service agreement.

Of course, this tactic won't do squat for you if law enforcement gets a warrant, seizes your computer, and finds incriminating evidence on it. You can claim someone else put the illicit information there, but you are still in possession of your computer's contents, and therefore you will bear some responsibility.

sprkymrk

Mister Multipath wrote:

sprkymrk wrote:

For most home connections, that's good enough. While a slick war driver can still bypass that kind of security (you don't mention what level of encryption you are using) it will still protect you in court, as the mere fact that you are using any encryption at all (even the almost-worthless WEP encryption) assumes a level of privacy and that the network is not intended for public use. It is actually more solid in court than a simple login banner/disclaimer.

You should always encrypt your home connection as well as take other security measures. And in the enterprise, you should always be protecting your VoIP and data communications with strong encryption.

But in the business world, there is often a need for a "GUEST" wireless network with no encryption at all to make it easy for guest users to connect. The captive portal is what protects you legally because no encryption solution is provided. All the major hotspot providers all provide absolutely zero in way of security but they always have a captive portal with a disclaimer to protect themselves legally.

I was speaking strictly about a home/personal network and protecting yourself in court. I can't tell if you agree or disagree.... . But you are correct that one should always use the absolute best security one is capable of, either at home or at work.

The concept of an unprotected "guest" network is one that I suspect will eventually disappear. Other solutions, such as issuing a smart card to a guest to provide access to a DMZ for encrypted and controlled Internet access (similar to issuing a guest a temporary security badge for access to the grounds/building) will probably become more common. Even hotels and Starbuck's could do this to control access without too much overhead.

garv221

This is a great thread. I was just thinking about this awhile ago. In my sub division, I pick up at least 6 wireless networks with no security and some still have the default name ie netgear, linksys. I understand how this can be the residents fault if their IP is tagged from someone else using it for illegal activitys. But I don't think that could be help up in court today, users can plead "incompetence" . Then again, ISPs provide a network setup for residents with a small fee that the court could say they have neglected to use which makes them liable. These types of issues need to be made more clear to users.

On another note, I have wondered if people set their wireless networks wide open on purpose in hopes to key log and packet sniff logged on users?

Mister Multipath

sprkymrk wrote:

I can't tell if you agree or disagree.... . But you are correct that one should always use the absolute best security one is capable of, either at home or at work.

The concept of an unprotected "guest" network is one that I suspect will eventually disappear. Other solutions, such as issuing a smart card to a guest to provide access to a DMZ for encrypted and controlled Internet access (similar to issuing a guest a temporary security badge for access to the grounds/building) will probably become more common. Even hotels and Starbuck's could do this to control access without too much overhead.

We agree on all points except the last paragraph

While using guest temporary smart cards is a certainly possible.... I seriously doubt most businesses will adopt it any time soon for guest access. I can see some businesses implementing such a solution such as financial institutions or hospitals, but most probably will not go that route due to cost issues. Secondly, I do not see hot spot providers like Starbucks/T-Mobile, Boingo, etc ever implementing such a solution. And if they do implement such a solution.... they will want even more money. For example, TMobile has an 802.1X supplicant avaialble for use at any of their hot-spots.... but the cost is DOUBLE what normal unsecure access costs.

Plus all these cities are now trying to implement city-wide public access via mesh networks and they will also have zero security.

I'm afraid wide open wireless guest networks will be around for a long time to come

JDMurray

garv221 wrote:

On another note, I have wondered if people set their wireless networks wide open on purpose in hopes to key log and packet sniff logged on users?

Oh sure this happens. This would be considered passive phishing using a honeypot access point. People have been sniffing their shared cable Internet connections for years to find all sorts of information from their neighbors. The same goes for wired and wireless Internet access in hotels, and the wireless hotspots in libraries and coffee houses.

Setting up an open access point with Internet access in a public area in the hopes of snaring passwords and other information from unsuspecting connected clients is very likely thing to happen. I personally will not use a public hotspot unless I am also establishing my own secure VPN using a product like HotSpotVPN (http://www.hotspotvpn.com/).

hanakuin

What do you think of the implications of FON, I believe that it's fon.com where you purposly share your internet connection with the world. They ship you a free wireless router and you decide to bill or not to bill people using your connection. Some of services like these are really gaining alot of ground.

JDMurray

Many ISPs have a public hotspot plan and service agreement; all of the major access point manufacturers have hotspot boxes as well. If you wanted to offer free or for-pay Internet service to a group of people, that's the way to go.

sprkymrk

Mister Multipath wrote:

sprkymrk wrote:

I can't tell if you agree or disagree.... . But you are correct that one should always use the absolute best security one is capable of, either at home or at work.

The concept of an unprotected "guest" network is one that I suspect will eventually disappear. Other solutions, such as issuing a smart card to a guest to provide access to a DMZ for encrypted and controlled Internet access (similar to issuing a guest a temporary security badge for access to the grounds/building) will probably become more common. Even hotels and Starbuck's could do this to control access without too much overhead.

We agree on all points except the last paragraph

While using guest temporary smart cards is a certainly possible.... I seriously doubt most businesses will adopt it any time soon for guest access. I can see some businesses implementing such a solution such as financial institutions or hospitals, but most probably will not go that route due to cost issues. Secondly, I do not see hot spot providers like Starbucks/T-Mobile, Boingo, etc ever implementing such a solution. And if they do implement such a solution.... they will want even more money. For example, TMobile has an 802.1X supplicant avaialble for use at any of their hot-spots.... but the cost is DOUBLE what normal unsecure access costs.

Plus all these cities are now trying to implement city-wide public access via mesh networks and they will also have zero security.

I'm afraid wide open wireless guest networks will be around for a long time to come

Well, I guess time will tell. The stuff that is expensive and hard to implement today will become cheap and easy tomorrow.

Cellular solutions, while expensive today, will become the wireless solution of choice for the Road Warrior tomorrow. Just as the cost of cell phones and "minutes" has dropped enough in recent years so that many people no longer use land lines in their home, I suspect cell phone modems and service will also become more affordable.

JDMurray

sprkymrk wrote:

I suspect cell phone modems and service will also become more affordable.

The only problem is that cellular services don't want to offer high-speed cell phone modem service because it would complete with their broadband services. For example, Verizon offers their EVDO wireless cardbus laptop adapter for $60-80/month, and the service is typically excellent. In comparison, Verizon's vx6700 PDA has a wireless modem, USB connector (works with both PCs and laptops), 1.3MP camera, and Windows Media Player for only $40/mo. I've read that the vx6700 could provide even higher speeds than the EVDO card, but Verizon purposely throttles it back so as not to compete with its wireless service. Verizon would rather that you buy and subscribe to both.

keatron

jdmurray wrote:

sprkymrk wrote:

I suspect cell phone modems and service will also become more affordable.

The only problem is that cellular services don't want to offer high-speed cell phone modem service because it would complete with their broadband services. For example, Verizon offers their EVDO wireless cardbus laptop adapter for $60-80/month, and the service is typically excellent. In comparison, Verizon's vx6700 PDA has a wireless modem, USB connector (works with both PCs and laptops), 1.3MP camera, and Windows Media Player for only $40/mo. I've read that the vx6700 could provide even higher speeds than the EVDO card, but Verizon purposely throttles it back so as not to compete with its wireless service. Verizon would rather that you buy and subscribe to both.

Verizon and Sprint pretty much have the same offerings. I have the 6700 from sprint and I also have the air card. To be quiet honest, I don't see much any difference. Where I do see a difference is when i go check the bandwith on 2wire.com or similar site. If you wanna have fun, call up Sprint or Verizon and ask the technicians to explain why this is so,, then watch em dance.

garv221

hanakuin wrote:

What do you think of the implications of FON, I believe that it's fon.com where you purposly share your internet connection with the world. They ship you a free wireless router and you decide to bill or not to bill people using your connection. Some of services like these are really gaining alot of ground.

I remember reading an article about this last year. Do you know anyone who does this?

hanakuin

I was going to do it for the free router until I realized that it had custom firmware on it to run FON's gateway application to allow internet access. It wasn't totally free, I think that you had to pay for shipping costs.