Nowadays it is hard to find a place with less than 3 WiFi networks in range of our network card. Even though most of the access points are already protected by WPA, occasionally some are either not secured at all, or are secured by WEP (basically they are not secured either). When visiting a new place, or using laptop beyond reach of our internet access it is especially tempting to ‘perform penetration testing’ of such networks and eg check email. While most of these incidents will go unnoticed by owner of the access point and does little harm – which means that there is no enough reason to involve law enforcement resources and criminal prosecution – sometimes it turns into outright stealing of bandwidth and ‘free’ source of internet. Unfortunately it is hard to define what exactly constitutes of unauthorised access as well as proving guilt of perpetrator.
Most jurisdictions, as well as convention on cybercrime, includes crime of unauthorised access to computer network. Using often included very broad definitions, which commonly states that computer network is group of interconnected devices which perform automated data processing it is easy to say that accessing someone’s WiFi falls under this definition. The problem that arises is that most of the time stealing wireless connection is completely different felony that ‘unauthorised access to computer network’. It rarely includes breaking into other machines connected to hotspot and intercepting or altering data stored there – the very core of ‘hacking’. As a result either sanctions defined in statues have to be very broad to include all possible situations on the spectrum, or adequately high punishment could be applied to rather petty crime. Much more problems in this case however rises the very definition of unauthorised.
On top it seems that there is a little room for a debate. Especially when network is secured by any kind of encryption – obviously owner does not want to share it with anybody. What about unsecured networks? What should be assumed about them? Should we differentiate between those set up by venues such as restaurants, fast foods and malls and those set up in private? Obviously the former are more likely to be set up for general public, however should it be assumed that they are intended to be used only by customers, and if so should it be publicly announced. Such questions are only tip of the iceberg, perhaps more important is question of damage done by ‘unauthorised’ access. The traffic stolen seems to be negligible as most common use of this networks is checking email and facebook, while signal is too weak to be functional full time connection. On the other hand if someone does not have any kind of connection at home, urban hotspots might be only solution – after all United Nations considers internet access to be a human right, so perhaps requirement of making enterprise hotspot publicly available should be set.
Private networks are not as less confusing as it would appears. While without a doubt, if network is protected, trying to gain access is unauthorised, unencrypted networks are once again not so obvious. The most common analogy used is comparing lack of protection to unlocked doors – leaving open doors to house does not authorised anyone to come in, or steal furniture. However it seems that this reasoning does not encompass complexity of the problem. First of all, there is significantly less to lose if someone is using our WiFi, it might be even said that there is hardly anything lost at all if we have broadband connection with unlimited data transfer. Second, while taking things out of private property is universally frowned upon, there is a growing sentiment of allowing strangers to use private network. Famously Bruce Schneier claims that he leaves his WiFi unsecured and open to use for anyone for various reasons. On the most basic level it is simple politeness. Schneier compares sharing network to offering a cup of tea to a stranger which adheres to idea of internet as a human right, and something nowadays as basic as food or shelter. On the more serious note enabling open WiFi mitigates possibility of being sued (successfully) in criminal and civil cases. In case of both hacking and intellectual property litigation IP is only evidence linking suspect to a crime, and even that is often not sufficient to result in conviction. Therefore things become even more complicated when it is network is publicly available and literally anybody could have used it at the particular time of attack. While it might sound like a way to help criminals, reasons might be more pragmatic and ‘self-centred’. It is well known that entities such as RIAA has engaged in massive, blanket law suits, suing thousands of users on the basis of downloading a file from certain server or running torrent client. Regardless of moral stance on such practice, it is not unreasonable to take precautions against being drawn into law suit like that.
The bottom line of all those arguments is how criminal law should approach the problem, and what should be boundaries of penalisation. Fortunately it appears that problem is not so volatile, as law enforcement is rarely engaged in chasing WiFi thieves, furthermore if someone really wants to restrict access to his network, strong WPA2 password is more than enough. Contrary to locking down the house, modern WiFi protection is much easier, reliable and in case of breach losses are certainly less serious. If the breach would somehow cause massive damage, support of law enforcement should be available to the victims – and regulations about unauthorised access to computer network are probably enough. Also there is no real way how law enforcement could learn about the crime, other than from the victim, when breach has been detected – summing up it seems that the best way to solve the issue would be making it crime prosecuted at the request of the victim while at the same time regulating whether open access WiFi should be treated as open for everyone.