Judge Says Sniffing Unencrypted WiFi Networks Is Not Wiretapping
from the if-it's-freely-available... dept
There’s been a lot of discussion over the past few years concerning whether or not intercepting data on an open WiFi network is a form of “wiretapping.” This has been a central issue in one of the legal challenges to Google’s Street View cars collecting data from open WiFi networks. I’ve long argued that on such an open network, it shouldn’t be wiretapping because it’s wide open and available for anyone to see. Yes, that may be a security concern, but it’s one that an individual user can deal with. It certainly shouldn’t be illegal for someone to sniff that data. If you’re broadcasting something free and clear and I then read it… how is that wiretapping? Unfortunately, last year a judge in a case related to Google’s Street View capturing came to the opposite conclusion, but in a convoluted way where the court declared that WiFi is not a radio communication (even though it is).
However, in a totally unrelated case, a judge has now come to the exact opposite conclusion again, and noted that sniffing open WiFi is legal. The case is one that we’ve already talked about, though in a very different context. A patent troll called Innovatio IP has sued a bunch of businesses (hotels, coffee shops, restaurants) that offer WiFi to users, claiming that anyone using WiFi infringes, though it says “at this stage” it won’t go after individual users, only businesses. In trying to win its patent lawsuit, it wanted to use evidence from packet sniffing on some open networks, and asked the court to say that this is legal. And the judge has now said it is. First, unlike in the Google case, the judge has no problem recognizing that WiFi is electronic communication using radio waves. Then it points out that open WiFi quite clearly fits under the stated exception to the wiretapping laws, which is that they do not apply to “a system that is configured so that such electronic communication is readily accessible to the general public.” The judge then pushes back on the ruling in the Google case, noting that the judge there claimed that the data on an open WiFi network was only available via “sophisticated technology.” This judge isn’t buying it:
… upon examination, the proposition that Wi-Fi communications are accessible only with sophisticated technology breaks down. As mentioned above, Innovatio is intercepting Wi-Fi communications with a Riverbed AirPcap Nx packet capture adapter, which is available to the public for purchase for $698.00. See Riverbed Technology Product Catalog, http://www.cacetech.com/products/catalog/ (last visited Aug. 21, 2012). A more basic packet capture adapter is available for only $198.00. Id. The software necessary to analyze the data that the packet capture adapters collect is available for down load for free. See Wireshark Frequently Asked Questions, http://www.wireshark.org/faq.html#sec1 (last visited Aug. 21, 2012) (“Wireshark is a network protocol analyzer. . . . It is freely available as open source. . . .”). With a packet capture adapter and the software, along with a basic laptop computer, any member of the general public within range of an unencrypted Wi-Fi network can begin intercepting communications sent on that network. Many Wi-Fi networks provided by commercial establishments (such as coffee shops and restaurants) are unencrypted, and open to such interference from anyone with the right equipment. In light of the ease of “sniffing” Wi-Fi networks, the court concludes that the communications sent on an unencrypted Wi-Fi network are readily available to the general public.
While the court admits that many users probably don’t know their unencrypted data is subject to sniffing, that does not play into the analysis. The law doesn’t say whether or not the user’s perception matters. It only matters if the communications are “readily available to the general public,” which they are. Legal expert (especially on privacy issues) Orin Kerr disagrees with this ruling, claiming that the intent of whoever configures the network is what matters, but I’m not sure I buy that claim either. He compares it to early cordless phones that easily “leaked” data, noting that no one designed those systems to do that, and the same is likely true in most cases with open WiFi. But that’s pretty different. The case of unencrypted data on an open wireless network isn’t some sort of accidental leakage, it’s the basic nature of any open network.
Either way, I get the feeling this is not the last we’ll be hearing of these kinds of cases. Though, if you’re really worried about your data on open WiFi networks, there’s an easy way to deal with it: encrypt your data.
Filed Under: privacy, sniffing, wifi, wiretapping
Comments on “Judge Says Sniffing Unencrypted WiFi Networks Is Not Wiretapping”
Yet the data, even on an “open” network, is encoded. It’s not words being spoken, it’s 1s and 0s that must be processed interpreted to be understood. I don’t have a problem with anyone listening (with a speaker) to a wi-fi signal, but I certainly do have a problem with them receiving the digital communications, decoding them (required step) and then using them.
I think the judge got this one wrong.
So you think that digital radio should be handled differently from analog radio? Why? Your argument makes no sense. A freely distributed CD should be legally different from a freely distributed broadsheet? Because it is “encoded”? Total B.S.
Re: Re: Re:
From his point it makes perfect sense.
You need to remember that IP maximalists are always driving and pushing for more control. It is easy to dismiss their single mindedness as simple mindedness, indeed that is part of the purpose of their trolling but this is a great example of how they work. The idea is to start to introduce the concept that anything that to “process” 1 s and 0s is some mysterious black art that only Hackers and Pirates would use. These mysterious “decoding” tools must be taxed/regulated/stopped/banned and their users punished.
It sure is a good thing that many wireless access points have a “security” feature that the user can toggle at will.
Making it illegal to sniff open networks would be like making it illegal to peer into car windows, which are inherently transparent and window-ish.
I just don’t see the problem with this ruling. But then, what do I know?
By that argument you can’t watch broadcast TV any more since that is “1s and 0s that must be processed to be understood”.
When you have to twist yourself into absurd logical knots in order to make your argument, your argument is probably awful.
So you listen to the radio only with an antenna directly connected to a speaker? That’s not going to work very well.
In addition, deaf people understanding speech via lip reading would also be in big trouble under your criteria. Or anyone “listening” to sign language. Or ham radio operators interpreting Morse code.
Your convoluted logic would, if actually enforced, tie all of human society into a big knot (kind of like the current state of copyright law).
Re: Re: Re:
And all the more ironic since “wiretapping” laws started with the telegraph (or “the wire”), where all communications were encoded with morse code.
But spoken words are encoded too. There is the English encryption, also French, Spanish, Cantonese, etc.
An English speaker could not listen in to a French conversation without decoding it (requiring a translator).
Re: Re: Re:
Just noticed I was signed out. The above comment was me. =P
SAD DAY FOR YOU.
starts up wireshark and browses the frequencies. (like radio)
I cant disagree more. If you were concerned with that, then you should put a password on your wifi. Problem solved. If it is freely accessible, then that is the fault of the person that set it up.
Anyone can log in to their wireless router and configure a password. If you can connect your computer to your router, then there is no reason you cannot put a password on said router too.
Re: Re: Re:
you realize that your phone lines are not encrypted the are wide open you wouldn’t even need to splice them with todays tech same goes for cctv feeds, same goes for credit cards its just a routing number and your name, same goes for enencrypted wireless keyboards and mice, same goes for spoken conversations in a house (bounce a laser off the windows) same goes for cell phones clone the esn and you are listening to someone else s calls (maybe this has changed) same goes for forum post (have you seen the research on how to identify someone base don there handle) same goes for emails that arent sent over secure connection. where do you draw the line for anyof these examples there are counter measures but i really dont want to spend all day securing all of my communications when they shouldnet be spyed on with out a judges say so how hard could it be this is the onformation age email text call facebook, instant message i dont care, if judge doesn’t sign off on it the police shouldn’t be intercepting communications i don’t know why they are so afraid to ask.
Re: Re: Re: Re:
Can someone bypass the indecipherable encryption of the above comment?
Radio frequency amplitudes that carry the voice are the same as 1s and 0s. Both decode and both carry the data in a way human’s can’t understand it without the machine.
So if I translate spoken English into a different language to process then that is wire tapping but native English speakers (listeners) are not guilty? Tell me how that makes sense either!
“Yet the data, even in this post, is encoded. It’s not words being spoken, it’s letters and punctuation that must be processed interpreted to be understood. …” Are you wiretapping me right now? no.
That something is encoded is not relevant. There can be no communication without encoding, whether that encoding is TCP or English. Encryption is the only thing relevant here. Encryption differs from encoding in that it uses a secret (e.g. password, key, etc), whereas encoding does not. Open networks are not encrypted, so reading them is no different than reading this post.
“…I certainly do have a problem with them receiving the digital communications, decoding them (required step) and then using them.”
Let’s apply your statement to that other means of getting info from the out of the air:
“I certainly do have a problem with them receiving the analogue communications (broadcast radio waves), decoding them (required step, using a radio) and then using them (by sending them to speakers).”
Sound silly? Yeah, coz it is.
Secure by default
Secure by default should be the standard. Why is it not?
Re: Secure by default
Hobo with an iPad?
Anyone stupid enough to leave their WIFI open deserves what ever happens to them.
Clearly, you didn’t read the article, or have no clue what you’re talking about.
Wifi is broken-by-design here.
You currently cannot offer “public wifi” without leaving it unecrypted.
The real fix would be to encrypt every connection – even without requiring the user to provide a password, but Wifi wasn’t designed that way to begin with, leaving us with a situation where you cannot give someone a public connection without either giving them the password in advance, or allowing them to use it unencrypted.
Re: Re: Re:
Its a simple procedure to shell in to your own network at home so all of your traffic on an ‘open’ wifi connection is encrypted.
If people are using the internet, they should take the time to learn how it works.
It shouldnt be illegal based off of peoples ignorance or stupidity
Re: Re: Re: Re:
I wouldn’t say it’s “simple” per-se… what if you’re using an ipad, or other less-configurable wifi-enabled device?
What should be made clear is that “open Wifi” is indeed designed to be sniffable. It is open in every sense of the word.
What would be nice is a new wifi feature where one can provide free wifi access that is encrypted while at the same time requiring no password. This is entirely possible, of course, but no wifi standards have yet been implemented to support this.
There are some grassroots movements to provide a similar system, but providing a specific WPA-encrypted SSID with a certain password that everyone automatically knows – but it hasn’t really taken off as far as I can tell.
Intent matters does it? So if I leave a $20 bill in the middle of the road, intending to come back later and someone picks it up, I can have the person arrested for theft, while if I leave another $20 bill in a similar situation intending for whoever finds it to benefit, I can’t??? I can see the argument in a situation where you have no choice and where your intent is clear (like leaving your clothing in an open cubby at a school gym class – and yes, I did go to a school like this) but where you have a simple alternative, like encrypting your network? No, the fact that others have eavesdropped is 100% your own fault and responsibility. Having the state protect us from ourselves by enforcing what we intend is but one small step from having the state decide for us what we should want and then enforcing that. That’s somewhere no sane person should want to go (except perhaps for the mendacious who believe they will be the rulers who decide).
So, Sat. TV is free to anyone who can decode it?
How come if you ‘receive’ (decode, watch on your television) the signal that umpteen satellites are broadcasting directly into your house, without an agreement is _illegal_ but doing the same to a WiFi signal is perfectly O.K.?
It appears that the fact that you need specialized equipment shouldn’t be a factor in deciding if it’s legal or not.
Re: So, Sat. TV is free to anyone who can decode it?
Sat TV companies (DirecTV, Dish Network) claim that they “own” the hardware and/or decoding cards now. Supposedly if you are in possession of one of these and using it to decode their signals without their permissions, you are breaking some sort of law.
So, in theory, if you can decode the signals without using their own hardware or card system, then you may not be breaking the law… but it’s hard to say.
Re: So, Sat. TV is free to anyone who can decode it?
The answer is because that _sat signal_ is encrypted. You have to crack that code.
When you connect to _open wifi_ it is not encrypted… therefor nothing to crack
Re: Re: So, Sat. TV is free to anyone who can decode it?
But as the parent was alluding to – the difference between encoding and encrypting is a VERY fine line.
What if the encryption used was ROT13 – would anyone seriously believe that it was encrypted? Would that still make it illegal if everyone knew that it was ROT13 and anyone with 3rd grade comprehension level could decrypt it?
Re: Re: Re: So, Sat. TV is free to anyone who can decode it?
the difference between encoding and encrypting is a VERY fine line
Encoding and encryption are two very different things.
Encoding allows data to be changed from one representational form to another. Encoding is based on character maps like ASCII, Unicode, or Base64. The format is publicly available.
Encryption transforms the data into ciphertext that requires a key to decrypt. The key is not public so the data in the ciphertext is considered secret. Examples include AES, Blowfish, RSA.
What if the encryption used was ROT13 – would anyone seriously believe that it was encrypted?
ROT13 is a form of encryption, it may well be the weakest form in existence but it is still a form of encryption.
Would that still make it illegal if everyone knew that it was ROT13 and anyone with 3rd grade comprehension level could decrypt it?
Possibly. Anyone that actually used ROT13 as their encryption algorithm to protect sensitive data would be guilty of gross incompetence and negligence.
Re: Re: Re:2 So, Sat. TV is free to anyone who can decode it?
[i]Possibly. Anyone that actually used ROT13 as their encryption algorithm to protect sensitive data would be guilty of gross incompetence and negligence.[/i]
And, by extension, most security-conscience individuals would also say that anyone using WEP to encrypt their wifi is also guilty of gross incompetence, no? I mean, they still ship wifi routers with WEP support, and it has been proven to be a worthless form of encryption.
So – where do you draw the line? All encryption has weaknesses, and could eventually be broken, or subverted. If these methods are known, and easy to crack, or rely on relative obscurity (such as CSS), can you still call them “encryption” that is worthy of legal protection?
As for satellite signals – it falls into the same realm as CSS, except they’re broadcasting it rather than offering a physical device which you purchase and decrypt. One might argue that if you develop hardware/software break the encryption, it’s fair game.
However, in most sat hacking situations, it’s usually a use of the hardware and software (i.e. decryption cards) provided by the company to licensed individuals to unlock the streams, rather than independently engineered devices. This is where the legality gets sketchy – as you don’t necessarily own the device in question to begin with.
Re: Re: So, Sat. TV is free to anyone who can decode it?
So are you’re saying is that if someone drops a puzzle in your lap (broadcasts it into your house/yard) you aren’t allowed to solve that problem legally?
You seem to be saying that it’s illegal to figure things out.
After all that’s all an encryption is. It’s a code, a puzzle.
How tough does the puzzle (encryption) have to be to make it illegal? Since using a simple code, converting it to a ‘standard set’ of ones and zeros is perfectly legal according to this judge. If I shifted each letter 13 places (ROT13) is that ‘encrypted’ enough? What if I just inverted all the bits? Used XOR? Wrote all my packets in Esperanto?
All depends on who's doing the tapping
A reporter for a local paper sat on the bleachers of the local high school and accessed an OPEN mount point on the schools file server via an open WiFi network. He didn’t modify any files but he was able to open and read stuff that shouldn’t have been publicly available. Then he wrote about it for the paper. The school district’s IT department was in a dither about the lack of security but don’t know if the City attorney tried to go after this guy. This was in Palo Alto, the heart of the Silicon Valley.
If open WiFi networks aren’t wiretapping, then the DA had no case. But that didn’t stop them from trying to make one.
Re: All depends on who's doing the tapping
Those are two different things.
This judge ruled that sniffing the traffic being transmitted by an open WiFi network wasn’t illegal.
Accessing the insecure mount point was a different thing altogether.
Whatever happened to 18 USC 2511? http://www.law.cornell.edu/uscode/text/18/2511#2_a_ii
Let’s just sniff the judge’s passwords.
Its really simple in my opinion. If you password your network and someone breaks in, its illegal. If you leave it unsecured then it becomes a public connection. This is not to be compared to if you leave your front door to your house unlocked, and someone breaks in, compared to if someone breaks the door down. Wifi signals are like any other radio signal in this regard, if it comes into my space and its readable by a device with no locks or security, then I have the right to read/use that signal. I don’t however have the right to damage, steal from, or hurt the signal provider in anyway. That’s a separate issue.
I will remember this next time I want to get into your facebook. Hey if its open its public.
I hate facebook but knock your self out. I think your comparing apples and oranges. You getting into my facebook would be a hack, my connecting to an open network is not.
If you leave $20 in the middle of the road, the money becomes lost/abandoned, anyone who picks it up is morally not legally obligated to do anything. The law clearly states, finders keepers losers weepers, law section 1024:12-3.
Colin, in law, intent does matter. The standard common law test of criminal liability is expressed the the Latin pharse, actus non facit reum nisi mens sit rea, or “the act is not cupable unless the mind is guilty.”
So, “mens rea” or guilty mind refers to the a person’s awareness of the fact that their conduct is criminal. An exception to this is in civil law it is not necessary to prove a subjective mental element for a breach of contract or “tort.”
I just started sniffing wifi for a work project. We are getting all sorts of info, and these people aren’t even connecting to our wifi. We now know how long they stay, which manufacturer makes their device, and how many people have smartphones with wifi on in the area on any given day. It’s incredibly useful data.
If someone is going to bring their device on my property, then use it to blast invisible waves right through my body and potentially give me cancer, then I’m happy that I can analyze those waves and learn more about these people. They are the ones putting it out there, I’m just picking it up.
The next step of this project? Wifi signal strength = proximity to adapter. Combined with raspberry pi camera & facial recognition software at the POS, and I now know their names and address for the next time they walk in the door. Brave new world, 1984, was here yesterday.