 |
A second person in Singapore has been prosecuted for illegal wireless access. He allegedly used an unsecured wireless network to post a bomb threat. Police raided the home of the wireless network owner and seized her computer, but analysis of the machine showed she was not responsible for the bomb hoax.
There has been ongoing debate about the legality of unauthorised access to an unsecured network -- a phenomenon also known as mooching. Some interesting posts have been written by Dr Huang and Aaron Ng, with equally interesting discussion in their respective Comments sections.
I'm going to look at this from another angle: that of policy incentives (or disincentives), in relation to information security. In short, what kind of policy would address the problem?
Incentives and Information Security
In 1993, a now-classic article called Why Cryptosystems Fail compared approaches to credit card fraud in the USA and UK. In the USA, there was the case of Dorothy Judd v Citibank, where a bank customer's word that she had not made an ATM withdrawal was found to outweigh the bank experts' word that she must have done. Following this, the US Federal Reserve required banks to refund all disputed transactions, unless they could prove fraud by the customer.
In Britain at the time, the situation was different. Banks took the stand that their systems were incapable of fault. Customers complaining about unexplained debits (i.e. "phantom withdrawals") were told that they were lying, were mistaken, or had been defrauded by friends and relatives.
As it turns out, the UK banks suffered more fraud.
This is because of what economists call a moral hazard effect. For example, if somebody has automobile insurance, they may be less careful about avoiding damage to their car.
In the case of the UK banks, customer complaints were not taken seriously, leading to laziness and carelessness by bank employees, with a consequent increase in fraud -- since it is the consumer who would be suffering the damage, not the bank.
* Further Reading: Ross Anderson (who wrote the 1993 article) and a colleague have written a more recent analysis, The Economics of Information Security. It discusses the credit card issue and other topics.
Risk and Liability: The example of Workplace Safety
There is a doctrine in legal theory that liability should be assigned to the party that can best manage the risk.
To understand this principle, let's look at workplace safety legislation as an historical example.
What happens without safety laws? A company may choose to save money by not spending money on worker safety. (This does not necessarily mean that the company is "evil", since a company is a legal entity and has no intrinsic morality, good or bad.) Furthermore, even if a company wanted to be pro-safety, there is nothing to stop the next-door factory from producing widgets more cheaply, at greater risk to workers' lives. Assuming the distant purchaser only cares about price, this means that the "non-evil" factories will go out of business as they have higher operating costs.
Such abuses were one factor in the creation of workplace safety laws, which in effect made it more expensive to ignore safety than to ensure it. [Also reviewed in an Economics of Law blog, Part 1 and Part 2]
Or looking at it another way: Employers have better information on workplace risks, are in a position to reduce those risks, and are pressured by costs (and undercutting by others) to ignore those risks. Thus they are a nexus point where an incentive can be applied.
Securing Wireless Networks: applying the incentive
Let's look once again at the problem of unsecured wireless access, and people mooching on it. The risks of mooching to the network owner include:
Excess bandwidth use. It does not cost the subscriber on an unlimited access plan, but might mean less bandwidth for another user at the same exchange.
Password & Data Harvesting. If the network is open, people can also start sniffing for network data packets, which may contain passwords, e-mails and so on.
Incorrect accusation. This is a bigger problem. With Wireless@SG slowly rolling out across the island, there will soon be fewer "benign" reasons to mooch an unsecured network. We see this with the bomb threat that was sent through somebody else's network. The poor lady's home kena raided and computer seized. Jialat...
Sabotage. This is slightly different from the above, in that a victim is specifically targeted, rather than being an incidental casualty. Somebody might purposely sabo his neighbour by doing illegal stuff through the mooched network.
The problem with the status quo is that many users do not really know how to secure their home networks. Furthermore, because the wireless router operates "out of the box", the less technically savvy users (or the more bo chap ones) may plug everything in and assume all is well once the web shows up in their browser. Thus users are in a situation of inadequate information -- and therefore open networks will still be prevalent even if we adopt a doctrine of abetment (as Aaron Ng and Dr Huang have discussed). This is analogous to holding a worker responsible for all aspects of workplace safety -- he may not know enough about the risks, or how to change them, even if he can.
It is also not enough to hold the moocher liable, since there are many unsecured networks, and there may also be moochers who are good at covering their tracks. So cracking down on moochers is not the whole solution.
Is the Default the Fault?
Perhaps the incentive should be shifted to the wireless router manufacturers and their local distributors. Many items of equipment require IDA approval (complete with sticker), so it would be a simple step for IDA to make this one of the conditions for sale in Singapore.
Two possible ways to do this:
- Requiring a password to be entered, when the router is first set up. The downside is that an inexperienced user might blur blur enter the password and then lose or forget it. However a hard reset of the router would allow one to start anew.
- Requiring a secure network as the out-of-box default. A secure encrypted network would be the default configuration, with the access password printed on a piece of paper inside the box. Of course, the password must be different for each box, but this should not be an issue unless the vendor is blur sotong.
The common theme is that a positive action is required from the customer (not passive inaction) to render the network unsecure.
This will not stop people from blur blur buying unsecured routers overseas and then setting them up, but hopefully those savvy enough to go shopping for routers overseas will also be savvy enough to secure their networks. It also won't stop the determined hacker who can crack into encrypted wireless networks.
But it will address the bulk of the problem -- which is widespread unintentionally unsecured networks.
Note: No offence is intended by the word "blur". Sometimes recognising that a consumer can be blur (not everybody is super zai techno expert wat...) is the first step towards better consumer protection. :-)
[Acknowledgements: Many thanks to HC, BL and KTM for their input.]
[Addendum (06 Jan 2007): Added an image. It was adapted from a public domain Wikipedia photo, by superimposing a stylised warchalking symbol for an open, unsecured network.]
Comments (18)
Is it a big problem in Singapore so far? This mooching thing. Does it really require a policy to 'solve' it?
Posted by ted | January 6, 2007 4:56 PM
Hi Ted,
I guess it depends on one's threshold of "big problem". For example, this unfortunate lady got her home raided and computer seized, as a result of some guy mooching her network to send a bomb threat.
Now, one could argue that it is her fault, since she left her network unsecured. But it still means that other folk may face the same problem: collateral damage from a moocher wreaking mischief through their unsecured home network.
Or worse still, somebody could be framed, with a possible miscarriage of justice. Although it is an interesting legal question, as to whether an unsecured network would confer reasonable doubt that the network owner was guilty of a crime. However it likely would not save the network owner from a civil suit. [Disclaimer: I am not a lawyer, and this is not legal advice!]
So basically some harm can occur to some people from mooching. And I agree -- reasonable people can differ on whether the harm justifies some policy tool. But with more and more technology novices going wireless at home, I think the problem is unlikely to go away on its own.
Posted by Speranza Nuova | January 6, 2007 6:08 PM
The KTM actually doesn't understand what's the big deal.
Suppose you forget to keep your front door locked (or perhaps you just weren't aware that your front door is not locked). Does it mean that the KTM can happily come to your house and help himself to your stuff when you are not in?
The problem with 802.11 WEP is that it's quite technical and many people are somewhat computer illiterate and sometimes dunno that they should "lock the door".
The question here is whether the moochers think that they have a RIGHT to therefore mooch. The KTM suspects that most moochers know that they are not actually doing what is morally correct and yet they still want to do it ('cos they reason to themselves that it doesn't cause any harm). Whatever reason people want to give themselves, it doesn't detract from the fact that they are trespassing.
Suppose the KTM lived in a house with a front yard (this is completely fictious 'cos the KTM is a poor bloke who lives in a 4-room flat), but nevermind lah, let's humour the KTM and pretend that he does live in a nice bungalow house.
Suppose the KTM dunno why bought this lock that he doesn't know how to use. So, while he thought that his front gate is securely locked, it really isn't locked at all.
Now, there's this joe who needs to pee. KTM is out and joe realises that the KTM's front gate is unlocked, so he goes and pees in KTM's front yard.
Question: is joe trespassing? Does it really matter to the KTM that someone peed in his front yard, if the pee isn't too smelly? Suppose KTM comes home only after joe has left, the KTM may not even realize that someone has peed in his front yard --- but does it therefore mean that it's okay to go pee in the front yard?
The KTM thinks that it makes no sense to have the Garmen go and legislate that all 802.11 access points must be WEP-enabled by default. Why should it be the Garmen's problem? Just get it into the thick skulls of some of these stoopid Singaporeans that mooching is illegal. They wanna do it, they can. They get caught, they just pay for the consequences of their actions loh. QED.
In any case, let's look at the problem in perspective. Just because one is guilty of criminal trespass really isn't a big deal. Pay fine loh. At the end of the day, the punishment will be commensurate with the "crime" one.
The latest moocher is in *DEEP* trouble however and the reason for that is not the mooching, but for the bomb threat. :-P
Posted by Kway Teow Man | January 6, 2007 6:59 PM
I believe people who are guilty of criminal intent might have been confused over the recent cases of prosecuted wifi threat.
Although this article talked about the technology aspects of wifi, it did not touch on the legal aspects of wifi.
The wifi home user may have the right to use the wifi network in his home but he doesn't own the wifi company's entire network. Therefore he is still subjected to the rules of usage and regulations.
The paid wifi user does not have the right to share his wifi with other people beyond his home and family members. He does not even have the right to share his wifi to strangers and be a charitable donor. Doing so is similar to sharing music on a massive scale.
The owner of a music CD may own the CD but he does not have the right to share it with strangers on a wide scale such as on the internet.
Posted by whybegay | January 6, 2007 10:09 PM
Some routers like SpeedTouch *do* come with the WEP password enabled. The password is actually printed on the router. I think this is a better way than depending on users to enable security and then think of a password which they may forget.
In any case, I feel that if there is no malicious use of the wireless access, there is no need for such a heavy punishment. Perhaps the authorities' greater concern is that if many people start brazenly tapping on others' wireless connection, there would be a corresponding rise in the number of people who use it for malicious purposes.
Posted by Gerald | January 8, 2007 12:54 AM
The SpeedTouch approach sounds very reasonable, especially the bit about printing the password on the router. After all, if the network is physically compromised (i.e. somebody can actually pick up the router and inspect it for a password), then no amount of wireless security will help.
I suspect the authorities are worried about a rise in malicious use of mooching, if unsecured wireless becomes more prevalent. However, heavier penalties won't stop the determined malicious moocher -- although reducing the number of unsecured networks might reduce the opportunities available to him.
Posted by Speranza Nuova | January 8, 2007 1:05 AM
I am getting quite seriously worried when I see letters in the newspaper forums and bloggers arguing whether wifi mooching is legal or not. Even so for the previous two comments which stated that wifi mooching is only a cause for concern *only if* there is "malicious" intent involved.
Many people argue that whatever is found outside people's homes are free for keeps. However, there is a fine line in distinguishing what rightfully belongs to people and what is really free for all.
Some people have argued that since the network of the wifi can cross the boundaries of a person's home, therefore whatever EM frequencies found outside the person's home can be legally "taken". But this is actually a very simplistic observation of a much bigger issue.
Even if the wifi network extends beyond a person's home, the equipment needed to support the wifi network is still within the boundary of the rightful user's home. The wifi subscriber owns and maintains the equipment to support his own wifi network.
Therefore anyone besides the wifi subscriber who access the wifi netweork beyond the subscriber's home still has to tap into the equipment of the wifi subscriber. The equipment is still within the boundary of the wifi user's home. And the wifi infrastructure to support the home users' wifi network belongs to the wifi company, on space that belongs to the company.
The usage equipment to access the pay-to-access wifi network belongs to the wifi subscriber. The wifi subscriber has to pay to utilise the wifi company's services. He may pay to use the wifi company's services but he does not own their wifi infrastructure. Any paid wifi user or moocher still has to go through the infrastructure of the wifi company. Therefore any user who is not certified a geniune user on the network will be subjected to any criminal intent.
Posted by whybegay | January 8, 2007 4:33 AM
fyi, If people want truly free wifi access, this is where they can sign up.
http://home.singtel.com/wirelessSG/wsg_index.htm
Posted by whybegay | January 8, 2007 4:44 AM
There are a few conflated issues on legality of mooching.
If a guy does not secure his wifi and someone leeches on it without his permisson, it is illegal.
If a guy does not secure his wifi deliberately because he/she wants to share and let others benefit from it, it is still illegal still certainly from the ISP's perspective.
Analogies can go this way and that way, but really, if there is a guy with a big heart letting people use his wifi as a small generous community gesture as well as a symbolic defiance against big corporations who over-charge for internet access...
Posted by The Void Deck | January 8, 2007 7:28 PM
Hello to The Void Deck! :-)
I agree that the legality of mooching is often conflated in many discussions on this. In the one case it is unauthorised access; in the other, it is as much a case of breach of contract with the ISP.
In the case of the big-hearted guy donating bandwidth and access to the wider universe, the issue is a bit different. If you have made a conscious decision to open your network, then you have hopefully made an informed, conscious decision to shoulder the consequences of the act -- which may include somebody using your network to post bomb threats or hack other peoples' computers.
The problem is when an uncle or auntie has wireless set up in their home after buying an off-the-shelf solution. Here the user may not be aware that the network is open. In fact one might argue that the opening of the network is the act of the wireless router vendor -- since the user's volition might not be in favour of unsecured open access, were the question explicitly put to the user at the time of purchase.
One can also take the view that it's the consumer's responsibility to be cautious (i.e. caveat emptor), in which case the issue is a moot one -- i.e. if you kena sabo via your unsecured network by some aspiring bomb hoaxer, that is your own fault for not learning enough about the technology before (mis)using it. Some might say that's the better way -- after all, we don't hold toaster manufacturers responsible if somebody tries to toast their bread while sitting in the bathtub with a half-immersed electric toaster.
Posted by Speranza Nuova | January 9, 2007 12:03 AM
This is my view on the parties involved in wifi mooching-
The paid wifi user is responsible to ensure his wifi usage is compliant within the terms of his wifi contract. This means no letting out of his wifi bandwidth to unauthorised users. Contracts have stated the paid users are responsible for any illegal usage. This means paid users are responsible to ensure their personal wifi network is secure.
For cases where the paid users' wifi networks have been unknowingly mooched due to a lack of security, the users are still liable under the terms of contract. They could be grouped as criminal accomplices. However, it is in very bad commercial sense to prosecute such users and bring a bad name to the company.
For wifi users who are fully aware that they are responsible to ensure their own wifi security but instead are adamant in doing so are only being irresponsible of their personal behaviour. They are testing dangerous waters at their own risks. (nb: it has been similarly argued that women who act irresponsibly in their behaviour and send out the "wrong signals" to men and got violated are indeed at fault as well as the violater.)
Whether there are in fact real wifi users who intentionally allow their wifi networks to be mooched is still difficult to determine, unless cases are reported. But these users continue to operate at their own peril, as criminals who are yet to be caught.
It is usually the people who deliberately and actively commit an offensive behaviour under an agenda that are the ones targeted for prosecution with a heavier punishment.
Posted by whybegay | January 9, 2007 1:45 AM
I second the idea of a default requirement. Why not combine two options? With a 3rd? e.g. As the user sets up the box, the user is prompted to:
(1) Enter a Password, and there's a link to further information why users should do this; OR
(2) Select the suggested password that comes with the box, and how this can be modified later and probably recommend that a user-defined password is better; OR
(3) Leave it open, again with a link to the risks involved.
Posted by Ivan Chew | January 9, 2007 1:02 PM
Hello Speranza!
I like your angle on consequences = liability on my spin on the charitable community-spirited wifi provider. This news report on placing liability on the person or company that does not secure its wifi is a case in point. However, I am trying to grapple the issue from the long haired hippy community angle, albeit it is slightly off track from the issue of whether the person mooching wifi has committed a crime or not. Leaving out the inevitable occasional abuses, I find it difficult to accept that a person providing a community service becomes an accomplice in a crime if his open wifi connection is abused. There has to be some balance and it can't be that black and white. If anything, the wifi mooching criminal should get double the sentence / punishment instead for exploiting a community service.
Posted by The Void Deck | January 9, 2007 10:47 PM
TVD,
As it turns out, the legal issues are quite open and shut. Under the existing regime, unless some ISP gets brain damage and doesn't draft its contract properly, it is illegal to provide the sorts of hippie community service described.
Where the grey area exists is that it may not be straightforward to prove beyond reasonable doubt that some long hair dude is intentionally flouting the terms of agreement with the ISP.
ISPs are not stupid either and they are not likely to be trigger happy like Durai. What they will do is probably to issue the hippie with a letter stating in no uncertain terms that the traffic observed is abnormal and the user should take steps to secure his/her wifi connection if he/she had not already done so. If the problem doesn't solve itself, then the ISP would probably have also sniffed enough packets to prove its case by the time it decides to take the case to court. :-P
Posted by Kway Teow Man | January 10, 2007 2:21 AM
This shows the difference between Singapore and America. For all the well-documented social problems America has, Americans still have a far stronger commitment to building a shared community than Singaporeans. We wait for the govt to build outdoor wireless networks for us, but the Americans just go ahead and do it by giving others in their community free access to their own access points.
http://seattlewireless.net/FrequentlyAskedQuestions
Is it because Singaporeans are "scared" of OB markers ? Of running afoul of the govt or telcos, or just plain selfish ?
For the record, my access point is open by choice. There are 3 or 4 "guests" that appear on the router logs now and then. Don't know whether they connected by accident or were deliberately looking for an open network, but hey, I never know when I might need access to the internet when I'm out on the road somewhere.
Posted by haveahacks | January 11, 2007 11:07 PM
Let's take a look at the law from an 'intent' standpoint. If I am not wrong, the intent of the law is to criminalise the hackers who break into networks, causing damages or disruptions.
As in so many of our legal acts, the approach is one of using a sledge hammer in addition to covering all the loop-holes. The mentality is one of, 'If we haven't thought of this loop-hole, let's cover it in our next revision.'
Putting this as the backdrop and then consider the issues of mooching against it and we end up with situations where individuals may mooch, knowingly or unknowingly and those whose networks are 'mooched' and may be outraged or don't care but if someone then take the moocher to task in our court of law, the moocher is sure to be convicted. This, I believe, is the reality as it stands today for Singapore.
I like haveahacks' post about community and the example of Seattle. To me, it is a reflection of the sad state of affairs for the Singaporean community and our legal system.
I have also came across another initiative where someone was promoting the sharing of wireless access which requires registration and all registered users will be able to tapped this 'network' worldwide. Imagine if the majority of people with wireless routers in major cities of the world sign up! The power and the accessibility that will result and the potential revenue loss of telcos and ISPs!
On the legal issue of contractual terms with the ISPs not allowing use by someone else other than subscribers, it is interesting. I have not studied the wording of my contract with SH but maybe I should. Whatever it is, say, I secure my router but allow a visiting friend access by providing him the password, where do I stand? Anyone legally trained knows the answer and is prepared to share your opinion?
Posted by 40+ Singaporean | January 28, 2007 12:16 PM
40+ Singaporean,
On the legal issue of contractual terms with the ISPs not allowing use by someone else other than subscribers, it is interesting.
Regardless of how the contract is drafted, the high-level intention is quite clear -- and that is, the ISP is selling internet service to you and your household. If the ISPs have decent inhouse counsel, they should all say pretty much exactly what I'm saying, but in legalese.
Now, the law is one thing and the enforcement of the law is another thing. So, while it is technically a breach of contract if you set up your network as an open network and let random people log on to it, it will not be easy for the ISPs to prove that you are in breach of contract. In the case of wireless access, who really knows whether the fella logged on to the network is inside or outside your house?
Even if you let lots of people log onto your network, the ISPs probably can't really tell 'cos your wireless modem will act as a NAT and the ISP cannot see exactly who's connected to your network unless they have access to your modem, which ordinarily SHOULDN'T be the case. All they can probably do is to send you a letter telling you that they are witnessing a high level of traffic from your connection and that perhaps you should check your wireless access network to see if people are mooching off you (under the assumption that you are a law-abiding citizen and you are clueless about what's going on). The other thing that they can do (and this is the more likely option) is to choke you by dropping some of the packets coming out from your connection, which means that by sharing your connection with other people, you are effectively compromising the quality of your own service.
The picture can change under one of two circumstances. (i) Some trouble maker latches onto your open network and sends out bomb threats to the PMO and the Police comes knocking on your door. Are you going to admit that you sent the bomb threat? If not, then how come the message come out from your IP address? (ii) The ISP could conceivable send some people to your home and log on to your network. If they succeed and they can prove it -- but sending out messages through your connection, then they can prove that you are violating the terms of your agreement with them.
Aiyah, but case (ii) is unlikely to happen lah. The ISPs dun want any bad press and are not keen to take people to court. It's also too much trouble for them. In all likelihood, they will simply choke the suspected public networks. Case (i) is where people really get into trouble. :-P
To summarize, if you let a friend access your network while he is visiting, it is possible that you might be in violation of the user agreement, but in practical terms, it's not going to make any difference. Actually, even if people want to leave their networks open, they are also unlikely to get into any legal trouble unless suay suay they have some psycho logging on to their network and doing illegal things (which unfortunately, does happen, which is why we are talking about this in the first place). :-P I hope this helps you sleep better at night. :-)
Posted by Kway Teow Man | January 28, 2007 5:32 PM
Hi,
I come to know a person who used a credit card and jail in Singapore he did it before in other countrys, how can I fid out from Singaporian police the details about him?
rupan
Posted by Rupan | July 25, 2008 9:34 AM