« Random Links… | Main | Card Skimmers »
Legal liability of compromised wifi
By Matt | December 15, 2009
This comes from a post on the NAISG mailing list:
Does anyone know if there is any civil or criminal precedence for unauthorized use behind a firewall? Specifically, I am at home and have a wireless network that gets compromised and someone does something “bad” from the IP addressed that is traced back to me. Is there anything saying I am or am not liable for those actions.
I had a series of three email replies that I think added to the conversation:
First:
> Is there anything saying I am or am not liable for those actions.
I’m not one to use “IANAL” too often, but the post screams that I make clear I am not a lawyer.On the most generic level the U.S. does not have clear laws or legal precedent in this situation. So the correct answer is “yes, you could be liable.” There is no statutory law or case law that clearly say as a general rule you would be held liable; at the same time you are not protected by an explicit safe harbor provision.
The DMCA defines a “service provider” as “offering” digital access and grants them safe harbor in exchange for cooperating with certain requests. In your scenario you said “compromised,” which to me says you weren’t offering and thus couldn’t be considered a service provider. It doesn’t seem fair that Panera Bread is protected from illegal use of their offered free service, while a home wifi that has been compromised isn’t explicitly protected.
While oriented towards software, here’s an interesting paper proposing the creation of “The Tort of Negligent Enabling of Cybercrime.” http://www.law.suffolk.edu/faculty/addinfo/rustad/rustad.koenig.final.pdf
Issues like those two above are things the courts and legislatures will be grappling with over the next couple decades.
While you may not be liable, having an open access point can open you up to unpleasantness.
In U.S. v. Javier Perez, the Fifth Circuit Court of Appeals upheld a search warrant that was issued against Mr. Perez despite the fact he had an open wireless access point, and two room mates who had wired network connections. The account the IP was associated with was in his name so, “there was still a fair probability that Perez was the party responsible for the illegal transmissions.” http://cases.justia.com/us-court-of-appeals/F3/484/735/580310/ . I do not know if Perez applies to other circuits beyond the Fifth, but the I think the reasoning is sound.
Maine saw a jump in IP addresses associated with child pornography from 15,000 in 2007 to 43,500 in 2008. Rather then a whole bunch of new perverts, that it is likely a lot more war driving to find open access points. http://www.bangordailynews.com/detail/104152.html . It’s chilling to think of what the statistics for bigger, more urbanized state would be like.
My guesstimate is that means several thousand, perhaps closing in on ten thousand, Maine residents and businesses could be at risk of having a search warrant served because of the activity of someone using their open wifi. Fortunately for most folks the police have to prioritize their limited resources and don’t have the time to search each potential location they could develop probable cause on.
If you don’t want to deal with a search warrant because your neighbor was surfing kiddie porn on your wifi and you have a fine collection of marijuana plants growing in your living room, it would be good to enable WPA. For a business that doesn’t need to provide easy guest access, a modest investment in WPA2 + Radius avoids the potential for a much greater expense dealing with an investigation of someone abusing your wifi.
Bruce Schneir also has a nice essay with quite a bit of discussion following it at: http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html
Second, the next morning:
>For example, someone stealing your station
>wagon to use as a getaway car, probably no liability on your part.
I suspect it’s more nuanced then that.If your car is stolen from a locked garage, and the thief needs to break a car window and hot wire it, you’re probably in a bit better position then if your car is stolen while running in your yard defrosting in the morning, and that’s better than if it is stolen because you left it unlocked, running, outside of a bar at 2am on a Saturday.
I don’t have time before leaving for work to try and find the citation, but there’s a case that’s somewhat illustrative to the original question:
– Painter is informed by the homeowner to lock the door when leaving.
– Painter does not.
– House is robbed.
– Thief is criminally responsible for the theft.
– Painter is held civilly responsible for his negligence in allowing the theft to occur by not locking the door.If someone uses your wireless to access an uninvolved party, there may or may not be any liability (like my other post said, that’s still legally uncertain).
Now if I’m hired to audit a business, I have a wifi that I use to connect my audit team’s laptops together, one of those laptops is also connected to the client’s LAN so we can print documents, and someone uses that wifi via the LAN connected laptop to bypass the client’s corporate perimeter defenses and access the network I think there would be liability very similar to the painter’s in the case above.
Third, when I had a little more time to follow up:
The case of the painter in my earlier post was Stansbie v. Troman http://www.a-level-law.com/caselibrary/STANSBIE%20v%20TROMAN%20%5B1948%5D%202%20KB%2048%20-%20CA.doc , which is a case from the U.K. decided not on a contractual requirement, but by a common law decision that what the painter did in leaving the premise unprotected was unreasonable.
In googling for that, I found what I think will be helpful to Mike’s original request:
“In a similar case, the defendant put a scaffold in place next to the plaintiff’s apartment building. Armed robbers used the scaffold to gain entry to the plaintiff’s apartment and stole his goods. The New York Supreme Court denied the defendant’s petition for summary judgment. The defendant had encouraged free radicals by making a scarce and tempting opportunity available to them. In an analogous case, involving information security, the bookseller Barnes and Noble allegedly permitted cyber rogues to gain unauthorized access to confidential client information through security vulnerabilities in its web site. Barnes and Noble entered into a settlement agreement with the New York Attorney General in April 2004.”
http://www.law.northwestern.edu/journals/njtip/v4/n1/2/
I think either my earlier scenario of auditors bypassing a client security perimeter with wifi, or Joe Peter’s example of an open wifi connection exposing a PC which is running a VPN back to a client asset, could fit under this doctrine, in that we owe someone we have a relationship a duty to “not leave the front door unlocked.”
The Barnes & Noble case’s press release from the New York AG reads,
The agreement follows an investigation into the company’s privacy and information security practices, in which the Attorney General found that a design vulnerability in Barnes & Noble.com’s web site permitted unauthorized access to consumers’ accounts and personal information and enabled users to make purchases on the site from consumers’ accounts.
The vulnerability arose from Barnes & Noble.com’s use of “cookie-less” shopping, whereby, in order to avoid the use of “cookies” – textual identifiers or markers placed on users’ hard drives – Barnes & Noble.com stored certain user information in the web page URL. In certain situations (such as a consumer forwarding or posting a web page link), the consumer information in the URL was inadvertently posted or forwarded to third parties.
“Consumers are concerned about how their personal information is secured and protected by online merchants, Spitzer said. Our effort here should help assure that the terms of Barnes and Noble’s internet privacy policy are met.”
Under the terms of the agreement, Barnes & Noble.com will establish an information security program to protect personal information; establish management oversight and employee training programs; hire an external auditor to monitor compliance with the security program; and pay $60,000 in costs and penalties. Spitzer commended Barnes & Noble.com for its cooperation with the investigation and its implementation of appropriate security safeguards.
Topics: Uncategorized | No Comments »
Comments
You must be logged in to post a comment.