Whilst I was researching my earlier post about WiMax in Milton Keynes, I came across an article on The Register about a couple of guys who got themselves arrested for accessing someone’s open Wi-Fi connection.
The comments make interesting reading – I recommend a read but will warn you that there are 111 of them, so you’d better be good at skim reading!
There are lots of useful analogies there (and the general consensus seems to be that, if a Wi-Fi access point is open, then you are inviting people to come in – especially with most wireless cards configured to connect to the strongest available signal – and that, if it’s secured, then it is clearly a private computer system) but I found a few of them particularly interesting after reading Section 1 of the Computer Misuse Act, 1990 (I’m sure other laws can equally be applied):
Unauthorised access to computer material
(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
(2) The intent a person has to have to commit an offence under this section need not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.
Based on this it could be argued that, if anaccess point is broadcasting SSIDs and is unencrypted, then a person cannot know that the access that they intend to secure is unauthorised. It could also be argued that, by broadcasting its presence, the access point accessed any computers with wireless cards in the area without their respective owners’ permissions. Or consider, as another commenter highlighted, what happens when pinging a computer’s IP address – is that not requiring the other computer to perform an action (even if that action is to reject ping responses, it still has to read the packet)? What about accessing a web server – did I explicitly give you permission to come here and read this article? No, but by publishing this website, I gave implicit permission, which is expanded further in my legal notice. Ergo, by leaving wireless access point open and broadcasting it’s SSID, I would be giving implicit permission to access it.
I know there’s at least one Copper who reads this blog and I’m sure he has an opinion. As of course, do I. And that’s why I locked down my Wi-Fi.
Usual caveats apply: I am not a lawyer; don’t interpret anything you read here to be legal advice; etc., etc..
Your article interestingly makes the observation that by advertising it is there, and having an open door policy, such routers are inviting others to connect and use their services. But if a local shop advertises and you were to walk into it one day, find there to be no security guard and therefore quite easy to take something and walk out, questions may be asked.
The legality of it all is defined in the Communications Act 2003, which states a “person who (a) dishonestly obtains an electronic communications service, and (b) does so with intent to avoid payment of a charge applicable to the provision of that service, is guilty of an offence”.
Hi Simon,
You couldn’t resist could you ;-)
There are many other analogies on the original article, but no-one I saw pointed out the Communications Act of 2003 – thanks for the information.
Your knowledge of the law is obviously far better than mine, but that sounds to me as if in order for (b) to apply, there must have been a charge for the service. If I make an open access point available without an associated charging mechanism, how can someone access it “with intent to avoid payment of a charge applicable to the provision of that service”, regardless of their intentions (dishonest or otherwise)?
So, if I access a BT Openzone hot spot, for example, and somehow circumvent paying for the service (deliberately), I can see that (a) and (b) apply, and I would potentially be open to prosecution (subject to whether the local police and the CPS think it’s worth their time and effort to follow up – and, let’s face it, they probably have better things to do, most of the time). But if the hotspot provider does not set up a charging mechanism, regardless of whether they meant to do so or not, how can I have avoided payment with intent? This is further complicated if I did not consciously elect to connect to the network but my PC operating system software connected to the open Wi-Fi access point on my behalf (or course, the presence of tools like Kismet might indicate intent).
Mark
You use the word hotspot, which I take to mean an access point deliberately setup to provide access to the general public, on payment or otherwise. I think the offence is more geared towards leeching off of Joe Public.
Besides which, the law is devided into Mens Rea and Actus Reas (guilty act and guilty knowledge). In a lot of offences you need to know what you’re doing is wrong in order for you to be prosecuted (I wouldn’t rely on this as a defence though!). In the case you’re highlighting, the court would need to be shown that you deliberately connected to that network. If you drove and parked up outside someone’s house repeatedly then you’re going to have a hard time saying you didn’t mean to connect to that net, for example.
Yeah, I probably shouldn’t have said hotspot, because that does normally imply a commercial service but my Wi-Fi client has no way of telling the difference between a public access point and Joe Public’s unsecured home connection (except that there aren’t too many commercial services with an SSID of Belkin54g, Netgear, or similar).
Interesting to hear of Mens Rea and Actus Reas though – especially as I’d always been taught that ignorance (of the law) was no defence. Like you said – probably a bit risky to rely on in court!
Also interesting to note in the BBC story that you linked to:
That was exactly my reasoning behind securing my network – I don’t care if someone borrows a bit of bandwidth but I don’t want to end up in clink if they do something and I get the blame.
And with the penalty for hijacking someone else’s wireless network including confiscation of the equipment, that could well plug a hole in the Police IT budget ;-)