Subscribe with Bloglines The Privacy Lawyer: 08/01/2005 - 09/01/2005

Wednesday, August 31, 2005 | Opinions - well said about .xxx! | Opinions: ""

Monday, August 22, 2005 - Anti-porn spam laws to shield kids backfire - Anti-porn spam laws to shield kids backfire

Friday, August 19, 2005

The catch-all law...trespass. Unauthorized wifi and wireless access

when in doubt, when you can't find a law that covers unauthorized Internet activity, everyone turns to trespass. It was the law used by AOL and others when fighting SPAM, claiming that the SPAMMERS were accessing their networks without authorization, and therefore committing trespass.

Trespass arises under state, rather than federal, law. Here too you will have to identify some kind of damage to the person from whom you are netnapping access. Once again, the larger the files, the more frequent the activity, the more easily your unauthorized access could constitute actionable trespass.

who knows...
but forewarned is forearamed.

until later...


The Computer Fraud and Abuse Act...and unauthorized wireless network access

The best fit of all US national laws (other than trespass) is the CFAA (the computer fraud and abuse act). It criminalizes intentional access of a computer. The CFAA was used in a case involving Lowes and someone who accessed an open wireless access point (a WAP) to steal credit card information of Lowes customers stored on their network. Here the access was a small component of the larger criminal activity.

The law requires the intent to access, as well as a requirement that there is some damage caused by the unauthorized access. It also requires proof (at least by implication) that the access is unauthorized. There are many factors that can be usewd ot prove that the person accessing the WAP knew that it belonged to a family (such as when they use their surname to name their WAP) and therefore the interloper should have known it was unauthorized.

But what is the damage? perhaps increased demand on the wireless bandwidth? The CFAA provides that damage can include any impairment to the intergity or availability of data, a program, the syste or information. (1030(a)(5)(A)(ii). Diminishing the capacity or slowdowns may qualify as an impairment, under the law. The mere exchange of information is enough to trigger a misdemeanor (although it is arguable that a violation of the CFAA's section 1030(a)(2) may not be triggered by a mere exchange of packet and IP information required in the mere act of accessing a WAP).

although not designed to criminalize the unauthorized access of an unsecured WAP alone, as prosecutors seek laws to use to put netnappers in jail...they will probably look to this one.

until later...


not wiretapping laws...

I've received several e-mails telling me that the wiretap laws don't criminalize wifi open network access without authorization. Although the wiretap laws have been used in some cases (the Electronic Communication Privacy Act or state equivalents) to proescute interception, it has been used to intercept communications/content rather than the access itself. (interception of digital pager transmissons and commercial satellite programming are two often cited examples of those cases).

People wrote in that notices would have to be posted before unauthorized access could be criminalized under the wiretap laws.

There is some confusion there. Notices are often recommended in a work environment, where the employer is monitoring or intercepting the commmunications of employees and others using the workplace computers. There is an exception to the wiretap laws which allows employers under certain circumstances to monitor and intercept communications. But the best practice is to inform your employees that they are being monitored (some states require it), so that you can rely on the better exemption - consent (actual or implied consent). The notice wouldn't apply in a wifi access case, even if the ECPA could be used to prosecute incoming, as opposed to outgoing, access of a network when no actual communications are being intercepted.

I never said that the wiretap laws would apply to wifi unauhtorized access.

I don't think they do or should.

until later...


hitting a hot button...

every once in awhile I write an article that hits the hot button. Last year I wrote one about the Patriot Act and Confidentiality, how to balance your wanting to help with a terrorism investigation but needing to protect yourself against privacy lawsuits. That one won an important Gold Award from the business editors trade association.

I ranted about the trials and tribulations of traveling overseas and spotty access, as well as having to carry four devices to do what one should be able to do. I still get mail about that one.

But this one, on unauthorized access of unsecured wifi networks and the law, has topped all the others.

The origin of this article is far more intersting than the article itself. I really was sitting with one of my teenangels ( at a coffee shop in Washington, DC. Interestingly enough, I was waiting for someone from the MPAA to discuss our upcoming anti-movie-piracy educational camapaign at
(There is something ironic about meeting on an anti-piracy campaign we are designing while technically pirating someone's wifi access :-))

The conversation took place as I have recounted it in the article. But I was intent on explaining that while it is probably wrong, it is probably not illegal. I know that this shouldn't make a difference for someone who devotes her entire life to helping kids become better cybercitizens and more ethical users of technology. But I really do have problems being unconnected, and receive 1000 e-mails every day I have to respond to, so offline time makes it impossible to handle. And, as most of you may understand...I just want to be connected, as long and as often as possible.

So, I do what the kids do when they download music illegally, I access open wifi networks because I want to get online, it's free and because I can.

I wrote the article, explained our conversation and that it wasn't ethical. And then didn't get a chance to submit it to my editor for a couple months. As I finally got it done and sent it off to my editor at information week magazine, I received a heads up from my son that Drudge has just reported the prosecution of someone from Florida for war-driving. (All prior cases involved some other type of criminal activity.)

oh!oh! I hate when that happens. I reviewed my legal analysis, and decided that I was probably still right, but hedged my bets by citing the case. The article ran two weeks later and the world exploded.

I have been getting e-mails and phone calls from NPR and other national news outlets about this article and my thoughts about open access of wireless networks.

My webmaster e-mailed me telling me that she had thought securing home networks was wimpy, and hadn't thought about the risks of someone using her IP address to do something illegal.

So, while I haven't had much time to do some original writing on my own main blog recently, I'll start adding information about the law on this and personal experience. It is obviously important to my readers.

Just remember...I hate this as muich as you do. I want to be online every moment from everywhere too. I think we are all entitled to the inalienable right to surf 24/7. But a judge somewhere may not agree.

So, unless you can find a judge just as obssessed with the Internet as we careful and buys stock in national wi-fi access companies. I expect their stock to rapidly increase in value.

until later...

The Privacy Lawyer

Wi-Fi freeloading...war driving...and netnapping - other people's wireless access - what's the law?

The Privacy Lawyer: Wireless Freeloaders Are Breaking The Law

You can try to justify it, but there's no way around the fact. And if you fear it's your wireless connection that's being stolen, it's time to get proactive about securing that network.

By Parry Aftab, InformationWeek
Aug. 15, 2005

I love my Sony Vaio PCG-4C1L computer. I bought it for myself as a Christmas gift. People notice it wherever I go. It has a DVD burner, is tiny, and weighs next to nothing. One of the best things about this computer is that it has built-in wireless. Before this, I had to insert a wireless card. But this little powerhouse lets me connect everywhere all the time. I don't need or want Internet access on my handheld. My little computer fits in my purse and weighs less than a bottle of water. I can surf and check E-mail on my main laptop everywhere as easily as on my Treo. More easily, in fact. And that's part of the problem.

I've complained before that I needed one device that would do E-mail, Internet access, cell phone, and organizing. I bought the Treo 600. Now I'm convinced that surfing using a little handheld device isn't the way to go. Connecting wirelessly, while using a computer small and light enough to carry around, is. But there's a small problem ... to be able to connect almost everywhere, at any time, you need to use Wi-Fi networks. And that means other people's unsecured wireless networks.

Last year, someone wrote me a question, asking me about using his father's neighbor's wireless networks when visiting his father. I pontificated that it was wrong to do so, and he should arrange for high-speed access at his father's apartment or go to a Wi-Fi hub to surf. But that was before. Before my new little laptop and my newfound freedom to surf everywhere, whenever I want.

I was doing this happily. Free at last! Like Pinocchio, I have no wires! I am a live girl! And one day, the head Teenangel (from, the group I founded to help educate kids on online safety, privacy, and security) noticed that I was connected while sitting over a cup of coffee. I proudly showed off my new computer and explained that you can find an open access point just about everywhere. She just looked at me and frowned. "After everything you taught us about cyberethics, you are stealing Internet access?" she charged. (I hate when kids do that!) I stumbled around explaining that no one was being hurt by it and if anyone wanted to lock us out, they could easily do it by securing their wireless network. Her frown didn't alter. "It's stealing!" she pointed out.

I then did what every self-respecting parent and Internet lawyer would do ... I back-pedaled. I explained the legal concept of "any port in a storm" that we learned in law school the first week. Patiently, I taught her that in England a long time ago, wealthy landowners often would refuse to allow people to tie up to their docks. But when a hurricane hit, the courts decided that if it was the choice between people drowning and the property rights of the landowner, the need to preserve life wins. That's where the saying "any port in a storm" came from. I looked up triumphantly. "Understand?"

As only an FBI-trained teen could do, she looked me straight in the eye and say, "You're kidding, right? You aren't really equating Internet access whenever you want it with someone dying in a hurricane? Are you?" (My triumphant smile faded. And I was tempted to explain that to some of us Internet addicts, access is life. But I could see it on the front page of the National Enquirer and instead I racked my brain for a better response. I had learned enough in law school to turn the question back on the student while I took the time to think. "Would it make a difference if it were a life and death Internet emergency?" (OK, I was grasping at straws, and by the look on her face, she knew it.)

"Like what?" She obviously had watched a movie or two about law school, and used the turnabout-is-fair-play Socratic method, asking the teacher a question when responding to the one the teacher had asked her while seeking time to think. I knew I was working with a master here. So, I grasped for the ultimate response. Rarely used, except in the most dire situations, I said "I'll look into it and maybe write an article about it for InformationWeek." She sat back, satisfied. I still needed time to think, and my coffee was cold by now. I logged off and drank it. I hate when that happens.

So, what's the law? What are the ethics? And is being denied Internet access for a few hours really the equivalent of death by drowning? (I knew I'd find some sympathetic readers at InformationWeek.)

The legal theories fall under "trespass" (used to fight spammers), intrusion (used to fight hackers and malicious code attacks), and unauthorized access (usually part of intrusion). It's wrong and technically illegal.

But. ("But" is the lawyers' response when they know the legal answer and don't like it, such as when you want to use your little computer everywhere to check E-mail and do research.) But, who's really hurt? If it's during the day and the person has an open Wi-Fi network and isn't home to miss a few bits and bytes, is anyone really hurt? Isn't it like the tree falling in the cyberforest when there is no one to hear it? If no one notices that you're using their access, is it really a crime? Unfortunately for me and my Sony Vaio--yes.

We can argue until we're blue in the face, but the answer doesn't change. It's wrong and illegal. As Wi-Fi users, we should be careful to lock up our networks to avoid tempting drive-by access poachers. But using unsecured networks as an excuse for accessing free wireless connections is like saying it's OK to enter someone's house and watch TV if they haven't locked his doors. It's smart to secure your network, but it shouldn't be a condition to protecting your rights and property.

Any doubts you may still have about the legality of wireless trespass should have been dissolved at the news earlier this year that a Florida man was arrested for accessing someone else's wireless connection. Benjamin Smith III was arrested in April for sitting outside the home of Richard Dinon and accessing his wireless Internet connection, according to press reports. Dinon called police after noticing Smith using a laptop in a vehicle outside Dinon's home. Dinon was wise to call. When someone is piggybacking off your wireless access, it's called "war driving" after the movie War Games, with Matthew Broderick. And often, cybercriminals, knowing that they could be traced back to their accounts using IP addresses, sit in their car on your street using your open access. When the FBI comes looking for the person downloading movies or child pornography, or luring children or sending denial-of-service attacks, they come looking for the person whose account was used, not the war driver. While you may be able to prove that your computer wasn't used for these illegal activities, or that no one was home at the time the activities occurred, it can be very tricky. It's far easier to secure your network with a passphrase.

And when you do, I may have to find other ways of logging on using my new cute little computer... or even pay for access.

Parry Aftab is a cyberspace lawyer, specializing in online privacy and security law, and she's also executive director of WiredSafety. She hosts the Web site and blogs regularly at


Monday, August 15, 2005

Man charged with wireless network trespassing - Jul. 7, 2005

Man charged with wireless network trespassing - Jul. 7, 2005

InformationWeek > Wireless Network Theft > The Privacy Lawyer: Wireless Freeloaders Are Breaking The Law > August 15, 2005

InformationWeek > Wireless Network Theft > The Privacy Lawyer: Wireless Freeloaders Are Breaking The Law > August 15, 2005

Friday, August 05, 2005

Blogathon 2005 - make a donation, blog for your charity. One of our volunteers is blogging for wiredsafety.

Blogathon 2005

Monday, August 01, 2005 You Wanna Take This Online? -- Aug. 08, 2005 -- Page 1 You Wanna Take This Online? -- Aug. 08, 2005 -- Page 1