Friday, 24 August 2007

Wireless Network Bust

Earlier this week, the Daily Mail reported, in typically lurid style, that the new-fangled Police Community Support Officers solve, on average, one crime every six years.

Having observed some local specimens going about their business, knuckles scraping the ground as they walked, I was not in the least surprised by this revelation. So imagine my amazement when I read this BBC news report, which features these intrepid public servants actually making an arrest.

So what act of heroism did they commit? Thwart an armed robbery? Grapple with a mugger as he made off with an old lady's purse? No, nothing of the sort - these folks have really gone to town by, wait for it ... arresting a guy for using a wi-fi broadband connection without permission! You can just image the massive impact that's going to have on the local crime rate, can't you?

According to the BBC, "They became suspicious when they saw the 39-year-old using his laptop outside a house in Prebend Gardens. When questioned he admitted to using someone else's unsecured wi-fi broadband connection. He has been bailed pending further inquiries." Gosh, I can hardly contain my relief.

Don't get me wrong here - I don't condone unauthorised access to someone else's internet connection, whether it's wireless or wired, secured or unsecured. In fact, a small but significant part of my day job involves locking down wireless networks to prevent just this kind of thing from happening.
But I think that arresting the guy is a little extreme - unless, of course, he was using the purloined connection to commit further offences, in which case they should throw the book at him.

The BBC goes on to add, "Dishonestly obtaining free internet access is an offence under the Communications Act 2003 and a potential breach of the Computer Misuse Act."

I'm not too sure about that, either. Breach of the Communications Act in this context seems a little uncertain to me, even though Gregory Straszkiewicz was convicted of "piggybacking" on an unsecured wireless network using this Act in 2005. Section 125(1) of the Act reads:

A person who—
(a) dishonestly obtains an electronic communications service, and
(b) does so with intent to avoid payment of a charge applicable to the provision of that service,
is guilty of an offence.

The key word here seems to be "dishonestly". Consider the nature of a wireless network - it is set up to broadcast signals to computers capable of receiving them, and receive responses from those computers. In many, if not most cases, those signals can, and will, extend far beyond the limits of the network owner's property. For example, computers in my office are aware of a (secured, before anyone asks) wireless network that exists in my neighbour's property, over 50 meters away.

Now consider the nature of the signals put out by a wireless network. Alongside the basic network "chatter" of data being transmitted and received, the wireless network usually broadcasts a Service Set Identifier (SSID), the very purpose of which is to advertise the presence of a wireless network, so that a suitable computer can connect to it.

If the network operator does not want unauthorised computers to connect to his or her network, it is very easy to ensure that they don't - or, at least, to ensure that they can't do it easily.

Firstly, they can easily set up encryption on both the networking devices themselves and any computer that they wish to connect to the network. Broadly, this means that the network is transmitting its signals in code, and only computers that have been set up to understand the code (again, an easy thing to arrange) can connect to the network.

Secondly, they can easily stop the network from advertising its presence to all and sundry simply by telling it not to broadcast its SSID. Every wireless networking device that I have ever encountered offers these basic functions, and they are not difficult to use. If the owner of the network chooses not to use them, or can't be bothered to spend a few moments understanding their importance, they are effectively broadcasting an electronic invitation to any wireless-capable computer within range to connect to the network.

Under those circumstances, it is difficult to see how it is "dishonest" for someone with a wireless-capable computer to accept the invitation and log on to the network - they know all about the available security measures, how simple they are to implement and that many people deliberately leave their wireless network open to outsiders as a "public service". They could, quite reasonably, conclude that if a wireless network is left unsecured, when it could so easily be locked down, then it must have been left so deliberately.

I have similar reservations about the Computer Misuse Act in this context. Section 1 of the Act reads:

A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.

If you accept, as I do, that a wireless router is a computer for the purposes of the Act, then unauthorised access to the network seems to fall within the bounds of (a) and (b), but what about (c)?

For much the same reasons as I've mentioned above with respect to dishonesty, it's easy to see how someone connecting to an unsecured wireless network could argue that they didn't know the access was unauthorised. After all, no technical means of authenticating their access to the network was in evidence; they were allowed to connect unchallenged.

Of course, in both cases, one could draw an analogy with an unlocked door and a burglar - if a burglar enters a property via an unlocked door to commit his crime, is it still a crime? And the answer is, naturally, yes.

But what if the victim pinned a note to the outside of the door - "Dear All, my door's open, come on in, help yourself to my stuff!" Is it still a crime to enter the property and help yourself to their stuff in that case? To my mind, that situation is far less clear-cut, and yet that is exactly what the owner of an unsecured wireless network is doing.

You could argue that this may not be their intention, and that they may lack the necessary technical skill to secure their network. But, if an unlicensed driver is in control of a car when it kills someone, do we say that it wasn't their intention to kill, they just lacked the necessary technical skill to avoid doing so, and then let them off? No, we don't. So why should we make excuses for people who don't take the trouble to understand their other toys?

For the incompetent wireless network owner doesn't just expose themselves to risk. They also provide a relatively anonymous means of internet access for those who set out to commit a whole variety of online crimes, and it seems reasonable that they should take some responsibility for the open networks they are operating.

Again, I don't say that it's right to use someone else's internet connection without their permission, whether or not they have bothered to secure it, and some form of legal protection is probably a good idea. But, in the case of an unsecured network (a secured network would be a different matter altogether), neither the Communications Act nor the Computer Misuse Act strikes me as the best way to do that. It can only be a matter of time before someone successfully argues that use of an unsecured network isn't dishonest unless they know in advance that they do not have permission to use it, and if they don't know that then they can't be in breach of the Computer Misuse Act either.

Much as I dislike the idea of giving the already power-crazed British Government an excuse to impose yet more red tape on the beleaguered electorate, I can't help wondering whether some more specific legislation might be in order. Perhaps something that actively prohibits access to a wireless network originating from business or domestic premises without the owner's explicit permission, save in cases where a network is specifically created for public use. And, at the same time, imposes obligations on the owners of such networks to ensure that they are locked down, again with the exception of networks created specifically for public use.

Such legislation would doubtless be unpopular, but the Government could always argue that it's intended to counter terrorist activity - after all, that's what they say about everything else!

Billy Seggars.

No comments: