13 August 2002
Recently, Declan McCullagh's Politech list brought to my attention a letter from Special Agent Bill Shore (local copy with clickable URLs), FBI-Pittsburgh. In the letter, Agent Shore references some information from CERT regarding restricting access to wireless networks intended to be private. However, he also states that there may be criminal violations occuring if an open wireless network is actually used, rather than just having its beacon noted in passing. I believe that is a troubling, even dangerous, misinterpretation. It ignores the intent behind open wireless networking, and fails the test of reasonableness.
I feel Agent Shore's letter deserves an answer from someone whose hobby and job both involve providing open and securely private 802.11b wireless access. I consult on open and private wireless network installation and auditing for homes and small businesses. In addition, I am the author of authhb (a less capable cousin of NoCatAuth), which I have used to mediate access on both open and private wireless networks. Finally, I am the Security Administrator for the University Corporation for Atmospheric Research, operator of the National Center for Atmospheric Research, a National Science Foundation-funded supercomputing center. At UCAR, my job includes securing both wired and wireless access to the institution. In short, I've spent a large amount of both my professional and community time thinking about and working in this area, for both open and private wireless networks.
To better understand why accessing an open network can not and should not reasonably be considered anywhere close to a criminal act, we'll start with the populist genesis of the wireless networking standard. Then we'll get into the default behavior built into wireless access devices as an indirect result of the populist intent. After that, we'll point out how private space can trivially be marked as such by signs visible to any user. In the end, we see that only users who ignore "private" signs can or should be considered outcast.
The low-power ISM-band 802.11b and related networking standards were borne out of populist sentiment. The original efforts were presented to the public as enabling network access from anywhere, cheaply, for the masses. Ordinary citizens were evangelized to write the FCC requesting approval of the standards. Similar efforts occured in other countries. Against a background USA climate of expensive FCC spectrum auctions being won by fatcat speculators, Apple computer engineers and others wanted to create a public space for inexpensive, ubiquitous, untethered networking.
They succeeded, most spectacularly in Estonia. Other current community network initiatives in the United States and around the world also build very well on the sentiment that led to the existence of the standard in the first place. Setting up a commons not controlled by any major merged telecom-and-content company, or sharing legitimately purchased upstream bandwidth with neighbors, is the very heart of this neighborly, populist internetworking.
The history behind the creation of this networking standard has made such community network initiatives easier, as the intent for openness and ease of use by the general public drove the default behavior of wireless network access devices.
Informed by the populist history and the users' desire to connect transparently with minimal chance for failure, wireless access devices are deliberately designed to connect automatically.
Merely turning on most laptops or handhelds with a wireless card causes the computer's operating system to connect to the closest open access point available. The operating system will then automatically assume an internet address, and start using it for access.
Note well: this happens automatically, without the end-user necessarily even being aware that network access is occuring. However, even in cases where the user is intending to connect, allegations of criminality are out of place, as the default use of the commons spectrum is open access.
If the equipment connects without intervention, a reasonable end-user will assume the access is authorized. This is particularly appropriate, as the wireless devices do employ a shared, public spectrum allocation; a commons not restricted to the sole use of any single licensee.
First, the intent of the user may be to connect to his own base station. For example, the user might not even notice that his base station has suffered a power supply failure, and his computer has transparently switched over to the network run by his neighbor. (I speak from personal experience here.) In the face of intent to use his own equipment, any allegations of misuse are inappropriate.
Second, and more to the point for open networks, the user may be intending to connect to a nearby community access point (such as the one I operate at my home). A reasonable user would thus assume the system that gives him a network connection means to do so as part of his neighborhood's "computing everywhere" initiative. Since wireless incarnations of such initiatives are popping up all over the place, as envisioned from the very start, reasonable users will naturally assume access is welcomed.
A reasonable user connecting to an open access point is thus very likely to believe any resulting network access is intentionally authorized.
Given the default open intent present from the populist genesis of the low-power ISM-band network efforts, and the default open behavior it engenders, I believe it is unreasonable to even hint at calling users of open wireless networks anything close to criminal.
The problems with such misplaced allegations become even more apparent when we consider the deliberate creation of private spaces using 802.11b equipment. Indeed, for those who care to close off the default public access, doing so is trivial on any commercially available access point.
Organizations who wish to use the commons 2.4GHz frequency for their own private purposes in their area can easily do so by putting up a sign indicating that access is restricted, and no longer default-open. Such signs can take the form of any of the following:
Any of those steps will indicate to a reasonable person that access to the particular network they're seeing is not open, or open only according to some policy made clear by the mediation system. Each easily prevents the default automatic, open access, and clearly signals "private."
Only those who ignore such equivalents of closed fence gates and "keep out" signs can rightly be considered unauthorized users of any wireless network.
The populist genesis of the ubiquitous, open, untethered network standards has informed the open defaults we observe in 802.11b networking. What we have is an open 2.4GHz commons, intended for the use of all as they see fit. Those open defaults, plus the growing populist community networking efforts, lead reasonable users to rightly expect that open networks are indeed open for access. That reasonable expectation of authorized open access is only reinforced by the fact that those who wish to restrict use of their wireless equipment have trivially available means of putting up signs that say "private." Without such signs, a reasonable user will expect that, if their computer just connects and goes, the network is intended to be open.
It is thus dangerous and inappropriate to call users of open wireless networks anything close to criminal. Only users who ignore "private network" signs, and thus engage in unauthorized use, can or should be considered outcasts and sanctioned appropriately.