overview
law & ethics
related
Guides:
Networks
& GII
Security &
Infocrime
Privacy
Economy
related
Profiles:
wireless
access
the net in
Australia
cybercafes
Aust & NZ
telecoms
dot-com &
telco bubble
stalking
|
law and ethics
This
page considers rights and responsibilities in warchalking
and wardriving, along with pointers to primers and studies.
It covers -
It
supplements the broader discussion elsewhere on this site
regarding wireless internet
theft (aka piggybacking) and of internet security,
network governance and matters such as cybercafes and
wireless access in Australasia.
legal frameworks
Is wardriving legal? The answer varies, depending on jurisdiction.
Some analysts use the 'front door' model, where it not
an offence to identify that a door exists but unauthorised
entry breaches the law and facilitating wrongdoing by
alerting offenders that the door is unlocked may also
be a breach.
Most regimes regard unauthorised connection to and use
of a network as illegal.
That encompasses activities such as identifying what files
are held on particular servers or desktop machines, identifying
the topography of a LAN, copying (or modifying or deleting
files) and using the network for unauthorised communications
(including spam and stalking).
It is consistent with prohibitions on unauthorised physical
access to content, devices and networks, with legislation
for example identifying crimes such as theft of services.
In Australia there has been no definitive case law about
'theft of service' through unauthorised use of a network.
Observers note that there are specific prohibitions in
federal law.
The federal Cybercrime Act 2001 (CA)
for example amended the Criminal Code Act 1995
by identifying computer offences that "impair the
security, integrity and reliability of computer data and
electronic communications". The three major computer
offences are -
1) Unauthorised access, modification or impairment with
intent to commit a serious offence (with a maximum penalty
equal to the maximum penalty for that serious offence).
2) Unauthorised modification of data where the offender
is reckless as to whether the modification will impair
data (maximum penalty of 10 years in prison), covering
situations such as where a hacker unintentionally impairs
data in the course of unauthorised access to a computer
system.
3) Unauthorised impairment of electronic communications
(maximum penalty of 10 years in prison), including 'denial
of service' attacks'.
The
first offence centres on activity such as hacking a financial
institution's database to access credit card details with
the intention of using them to obtain money (ie intending
to commit a fraud offence).
The Act includes other computer offences -
1
Unauthorised access to, or modification of, restricted
data (maximum penalty of two years imprisonment)
2 Unauthorised impairment of data held on a computer
storage device, including removable storage (maximum
two years imprisonment)
3 Possession or control of data with intent to commit
a computer offence (maximum penalty three years imprisonment)
4 Producing, supplying or obtaining data with intent
to commit a computer offence (maximum penalty three
years imprisonment)
prosecutions
The 2004 conviction (in the US District Court for the
Western District of North Carolina) of Paul Timmins on
a single count of fraudulent and unauthorized Wi-Fi access
to a private corporate network is believed to be the first
wardriving conviction in the US. Legal specialists have
argued that there is potential liability under the US
federal Computer Fraud & Abuse Act, the Wiretap
Act and some state legislation.
The same year saw action under the US federal CAN-SPAM
Act against Nicholas Tombros,
who allegedly sent spam via insecure residential wireless
APs in Los Angeles.
Other jurisdictions have successfully prosecuted individuals/groups
for 'theft of service' or unauthorised access.
Canadian police for example prosecuted a man in November
2003 after checking his car for a traffic infraction and
discovering that he was naked from the waist down and
was viewing child pornography accessed via a residential
wireless hot spot. He was charged with theft of telecommunications
and possession, distribution and creation of child porn.
In March 2006 Ontario Provincial Police charged a man
under Section 326 of the Ontario Criminal Code (Theft
of Communications), alleging the man was "using his
lap top computer to steal a wireless Internet connection"
in Morrisburg.
In the UK Gregory Straszkiewicz is believed to be the
first person to be convicted of wireless 'piggybacking'
in breach of the Computer Misuse Act and the
Communications Act in 2005. He was fined £500
and given a 12-month conditional discharge.
In 2006 Singapore teenage 'bandwidth bandit' Garyl Tan
Jia Luo pleaded guilty under the Computer Misuse Act
to tapping into a neighbour's wireless network, in what
is claimed to be Singapore's prosecution for the offence.
What
of warchalking? As far as we are aware there have been
no successful Australian prosecutions for chalking, although
presumably there is some scope for action under damage
to public/private property (don't use waterproof paint
or carve a symbol on someone's fence or front door) or
even aiding a crime.
responsibilities
As with most information security issues, APs involve
several responsibilities and are not restricted to containment
of wardrivers.
Pundit Jeff Duntemann comments that -
My
fellow wardrivers and I adhere to a relatively strict
code of ethics that can be cooked down to the following:
Don't
look.
Don't touch.
Don't play through.
In
other words, 1) don't examine the contents of a network;
2) don't add, delete, or change anything on the network,
and 3) don't even use the network's Internet connection
for Web surfing, email, chat, FTP, or anything else.
Somebody else paid for the bandwidth, and if you don't
have permission to use it, you're stealing it. Basically,
unless you have permission, don't connect. Consider
it a matter of personal honor, even when it's unlikely
that you'll be caught. (If you get too used to feeling
that you won't get caught, sooner or later you will
get caught!)
Patrick
Ryan's 2004 War, Peace, or Stalemate: Wargames, Wardialing,
Wardriving, and the Emerging Market for Hacker Ethics
(PDF)
considers wardriving and 'ethical hacking', something
examined in more detail here.
Network operators also have responsibilities, including
an obligation not to inadvertently allow access to their
networks. In Australia, apart from damage to the financial
viability of an organisation, the operator might potentially
face exposure to action for failure to adequately protect
employee or customer privacy,
intellectual property and other duties.
Some sense of scope is provided by a contact's discovery
of an open 2 megabit network in Canberra, which in principle
would allow an offender with an appropriate address list
to spam much of Australia with a few minutes.
The organizer of the Auckland wardrive noted above commented
that
People just take their routers out of the box, assign
a username and password and nothing else.
It
is thus not surprising that intrusions occur ... although
many of those intrusions are undetected.
studies
Primers
for drive & chalk aficionados include
Drive-By
Wi-Fi Guide (Phoenix: Paraglyph Press 2003) by
Jeff Duntemann
WarDriving: Drive, Detect, Defend - A Guide to Wireless
Security (Rockland: Syngress 2004) by Chris Hurley,
Michael Puchol, Russ Rogers & Frank Thornton
Wi-Foo: The Secrets of Wireless Hacking (New
York: Pearson Education 2004) by Andrew Vladimirov,
Konstantin Gavrilenko & Andrei Mikhailovsky
Wireless Hacks (Sebastopol: O'Reilly 2003)
by Rob Flickenger
Christian
Sandvig's 2004 An Initial Assessment of Cooperative
Action in Wi-Fi Networking (PDF)
in Telecommunications Policy 28 (7/8), Hira Sathu's
2006 'WarDriving: Technical & Legal Context' in Proceedings
of the 5th WSEAS International Conference on Telecommunications
and Informatics and Gregory Kipper's Wireless
Crime & Forensic Investigation (Boca Raton: Auerbach
2007) are of value. For an historical perspective see
Shipley's LanJacking and WarDriving (PDF).
::
|
|
blaw