Networks

General discussion

Locked

War Driving - Legal or Not

By al ·
I've read all of the posts, and I still find it amazing that there is even a question asked here. The answer is VERY simple. War Driving is illegal if and only if you are attempting to bypass a password, WEP key or similar device designed to prevent unauthorized access to the network. War Driving - and 'poaching' service on open, unencrypted wireless networks is not. End of discussion. This has been decided in the courts and is addressed in the United States Code. I can't believe people still ask. WAKE UP - if you don't want people on your wireless network - password protect it. Frankly there are 9.9 gazillion wireless networks out there with ssid's like linksys or netgear. Admittedly SOME of these are intentionally open and some are open out of ignorance - but remember - ignorance of the law is not an excuse. That sword cuts both ways. If you try to crack a protected network, and you don't know its illegal - you're still guilty. On the other hand, if you're ignorant of the fact that not protecting your network with a minimal WEP key, then your ignorance does not make use of your network illegal. I have two networks at my office - one open and one not. Anyone who drives by is free to use ssid SRLLC - it's a convenience to visitors, known and unknown. SBSLLC is a password protected, wireless network - crack and ye shall be fined.

NOTE: Giving your router a unique ssid is NOT a barrier to allowing others to use it.

As to the issue of 'unauthorized use' - if a network is not protected, you are implicitly or explicitly sending a message authorizing use of the network. If you protect it, you are explicitly sending a message to stay away or be subject to fine, imprisonment or both.

Grow up - read the manual. If you don't want people on your network - protect it. Period.

Al Case
Stamford Research, LLC
http://www.StamfordResearch.com

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Which Cases?, Your references to Case Law and USC? Legal Statute Definition

by Matthew Yurksaitis In reply to War Driving - Legal or No ...

Can you provide a reference for the cases of "wardriving" in the context of this thread bieng upheld as legal? as well as references to the affirmative aspect of use of open networks whether use is known or implied to be authorized or not? Perhaps providing references to support your argument may help.

Here is a legal reference from the State of CT, and several others as well as some of the revised federal laws: (Please note that is states a person committs a computer crime when they violate and section of the statute.) Computer crime implying illegal. Also note that any action which causes harm to the network etc.. is included whether intentional or recklessly.

-------------------------------------------------
Sec. 53a-251. Computer crime.

(a) Defined. A person commits computer crime when he violates
any of the provisions of this section.

(b) Unauthorized access to a computer system. (1) A person is
guilty of the computer crime of unauthorized access to a computer
system when, knowing that he is not authorized to do so, he
accesses or causes to be accessed any computer system without
authorization.

(2) It shall be an affirmative defense to a prosecution for
unauthorized access to a computer system that: (A) The person
reasonably believed that the owner of the computer system, or a
person empowered to license access thereto, had authorized him to
access; (B) the person reasonably believed that the owner of the
computer system, or a person empowered to license access thereto,
would have authorized him to access without payment of any
consideration; or (C) the person reasonably could not have known
that his access was unauthorized.
(c) Theft of computer services. A person is guilty of the
computer crime of theft of computer services when he accesses or
causes to be accessed or otherwise uses or causes to be used a
computer system with the intent to obtain unauthorized computer
services.

(d) Interruption of computer services. A person is guilty of
the computer crime of interruption of computer services when he,
without authorization, intentionally or recklessly disrupts or
degrades or causes the disruption or degradation of computer
services or denies or causes the denial of computer services to an
authorized user of a computer system.

(e) Misuse of computer system information. A person is guilty
of the computer crime of misuse of computer system information
when: (1) As a result of his accessing or causing to be accessed a
computer system, he intentionally makes or causes to be made an
unauthorized display, use, disclosure or copy, in any form, of data
residing in, communicated by or produced by a computer system; or
(2) he intentionally or recklessly and without authorization (A)
alters, deletes, tampers with, damages, destroys or takes data
intended for use by a computer system, whether residing within or
external to a computer system, or (B) intercepts or adds data to
data residing within a computer system; or (3) he knowingly
receives or retains data obtained in violation of subdivision (1)
or (2) of this subsection; or (4) he uses or discloses any data he
knows or believes was obtained in violation of subdivision (1) or
(2) of this subsection.
(f) Destruction of computer equipment. A person is guilty of
the computer crime of destruction of computer equipment when he,
without authorization, intentionally or recklessly tampers with,
takes, transfers, conceals, alters, damages or destroys any
equipment used in a computer system or intentionally or recklessly
causes any of the foregoing to occur.

By the language of this statute one must "reasonably know" that the access is authorized with no expectation of repayment. And the owner would need to "reasonably know" that the access is authorized or unauthorized.

By this statute the definition of wardriving as in the context of this discussion would be viewed as illegal - although one could always make the argument of "ignorance of the law" or the current state of the WAP device "implies" consent. - Ignorance of the law works both ways by the way, so understanding what "authorized" and "unauthorized" access is as defined is important here as well.
-------------------------------------------------

The reason folks are still discussing this is that end users as they become more aware of the technology - and those who seek to intentionally take advantage of consumers - the consumers become angry and seek redress against opportunitistic "poachers". As consumers seek answers they look to IT professionals for answers, both technically and sometimes legall.

By your post - your open network would be ok to access as you "reasonably know" that people will access this as it was your intent to provide this to them. Now let's suppose for a moment, that for some reason the protection you enabled on your "secure", "closed" or "prviate" net became disabled (for this argument a technical issue caused the security to be disabled.) and a "wardriver" accessed this net with no intent of doing damage, but caused a DoS on the net. Was the action of the wardriver legal or illegal? you did everything reasonable that you were aware of to prevent this, but through no fault of your own your "prviate" net became "public" and as a result now incurrs damage. WIll you our your company attempt to seek redress? or call this illegal? - some points to ponder on this topic.

Collapse -

Which Cases?, Your references to Case Law and USC? Legal Statute Definition

by al In reply to Which Cases?, Your refere ...

I will find the case law (CA). With respect to your citation of the USC, above:

First and foremost - right in the first paragraph of the code:

"knowing that he is not authorized to do so"

If you drive by my open network - you do not KNOW that you are authorized. However, you also do not KNOW that you are unauathorized. You have no way to KNOW on an open node. Hence, you cannot violate paragraph (b) of the statute.

I only KNOW that I am unauthorized when either a) you tell me; or b). I see that your node is secured. Otherwise all I KNOW is that you're spewing out your SSID and opening your network. Notice that the code specifically and intentionally makes it necessary for you to KNOW you are unauthorized, therefore SHOWING INTENT TO COMMIT A CRIMINAL VIOLATION. Without foreknowledge, in this case, beause the statute does not require me to KNOW THAT I AM AUTHORIZED (i.e., it leaves room for interpretation).

Note that "KNOWING YOUR ARE UNAUTHORIZED TO DO SO" is NOT logically equivalent to "HAVING NO IDEA AS TO THE INTENTION OF THE PERSON WHO PROVIDED THIS FREE ACCESS POINT". NOTE, the statute did not say "YOU MUST KNOW YOU ARE AUTHORIZED TO USE THE SYSTEM BEFORE YOU USE IT."

Knowing you are unauthorized and not knowing you are authorized are logically different.

Now, the "reasonable man" theory of law:

a) If a "wireless owner" buys a router and at least read the "quick start" guide he/she will know that there are at least two modes - secure and insecure.

b) It is therefore "reasonable" (using the legal definition of "reasonableness") to assume that someone either 1. Doesn't care and thus implicitly authorizes access by not securing; or, 2. Does care, and thus explicitly denies access by securing the router or wireless access point. (Incidentally, in 2. above, I KNOW I am not authorized. In 1. above I do NOT know I am unauthorized).

c) It is "reasonable" to use unsecured wireless access points - free access points are cropping up daily, at the corner store, at the coffee shop, at the restaurant, at they community center in my development where I live - all both IMPLICITLY and EXPLICITLY made available to the public. It is "unreasonable" to make it incumbent upon the USER of the wireless access service to try to triangulate and track down the source of an open and free signal on the airwaves, and then check with that source, when it is IMPLICIT that the machine, out of the box, tells you how to secure it.

It is further reasonable to assume that someone smart enough to give their unit a unique SSID and NOT provide for at least WEP encryption is both IMPLICITLY and EXPLICITLY granting authorization to use the network.

The only gray area is where you see "LINKSYS", for example, show up as a generic name. What was intended? Ignorant user? Someone who doesn't care?

Collapse -

Great Post, good points

by Matthew Yurksaitis In reply to Which Cases?, Your refere ...

You present some very good points here, great post.. Thanks!

There is a lot to ponder & consider in this area and definitely a lot of ground to cover as well. The Reasonable Man and Authorized / Unauthorized use can easliy be a valid argument on both sides of this issue. I look forward to the case law from CA - always good to have sound references on all points.

Collapse -

Great Conversation

by hangin_online In reply to Great Post, good points

Gentlemen, i see two defined objects in the statutes. One is computer systems and the other computer services.

Collapse -

Two Objects - One Legal Theory

by al In reply to Great Conversation

Yes, there are computers and computer services - however, it is difficult to draw a distinction since a router is a computer and a computer service requires access to a computer. The 'fine line' is where to have authorized access to a computer but not a particular service - e.g., an employee does not have access to the corporate payroll system, but may have access to various other computers (maybe even the one running payroll) on the network.

The legal theory however equally applies - If you KNOW you are UNAUTHORIZED you may not access. Under "reasonable man" the question is it reasonable for you to know. That's the whole reason companies have policies. As an employee you are obligated to know the policy and it is a reasonable assumption that you do.

War Driving in an area with many open KNOWN public access points makes is REASONABLE to assume that if it is not secured it is open. It is REASONABLE to assume that unsecured airwaves are free. However, it is NOT reasonable to assume you can use an attached printer or disk drive! It is GENERALLY ASSUMED that someone else's computer provides some level of privacy UNLESS they have a "shared file" folder. If they do, it is again REASONABLE to assume that the data and executable programs in the Shared Files folder is available.

So - SECURE YOUR NETWORK and DON'T HAVE A SHARE FILES FOLDER on your network drive. If you do, you get what you deserve.

Collapse -

But how far

by Cactus Pete In reply to Two Objects - One Legal T ...

First, let me say that you move to what is RESONABLE to ASSUME now, but in other posts claim that ignorance is no excuse. I think you need to work out the differences on that.

Also, is it REASONABLE to ASSUME that an open wireless access point is connected to FREE INTERNET SERVICES? No.

You cannot look past the LAN with a reasonable expectation of service.

And, since you've (You, personally) been involved in discussions of this type, it is clearly not reasonable to assume that every open access point is there to give you free internet services.

It is reasonable to expect that any free internet services would be advertised as such - in a hotel, at a restaurant, etc. Any person can reasonably be expected to see an SSID of MarthaHomePC and deduce that the AP is not for the general public.

There is no reasonable expectation of unadvertised free service.

Collapse -

Unauthorized Access to a Computer Network

by KSAT In reply to War Driving - Legal or No ...

Sorry - but, any unauthorized access to a network is ILLEGAL. This isn't that difficult.

Here is one conviction: http://rrstar.com/apps/pbcs.dll/article?AID=/20060323/NEWS0107/103230036/1011

Here is another case of illegal use: http://arstechnica.com/news.ars/post/20050707-5068.html

In a recent article on ArsTechnica.com, the author discusses the two cases above and concludes "Wardriving can be fun, and the temptation to take advantage of an unsecured wireless access point can be strong. But given the two convictions in Florida and Illinois during the last nine months, I think I'm going to resist the lure of surreptitious, free WiFi." I completely agree with his analysis and assumptions about the legalities of WAR Driving.

There is plenty of information available that indicates that it is illegal - no matter the circumstances involved. If you don't have permission to use it - don't use it! Very simple!

Collapse -

Rephrase

by lfugate In reply to Unauthorized Access to a ...

KSAT, I'd rephrase your next to last line:If you don't have <explicit> permission to use it - don't use it!

That removes all doubts for me.

Larry

Collapse -

Freakin' aye

by mike In reply to War Driving - Legal or No ...

Well said, Al. Your post breaks down the issue down to the basics. The paranoia is amazing, isn't it?

Related Discussions

Related Forums