Over coffee at BarCamp last Saturday with Marie Boran (of Silicon Republic) and Antoin Ó Lachtnáin, conversation turned to last week’s news reports (BBC | OUT-LAW.com | The Register) that two people (let’s call them the leeches) were arrested in the UK and cautioned for using other people’s (let’s call them the routers’) wifi without permission. There are interesting questions of legal liability here, both for the leech and for the router, and they came up again in the context of Antoin’s presentation later that day about fon. That’s Antoin preaching the fon gospel in the photo on the left. Here, I want to discuss some of the legal issues, before turning to Antoin’s presentation.
Let’s look first at the liability of the leech. Last week’s case, and another similar one two years ago (BBC | OUT-LAW.com | The Register) in which a leech was fined St£500, concerned section 125 of the Communications Act 2003, relating to dishonestly obtaining electronic communications services. Section 125(1) provides
A person who-
(a) dishonestly obtains an electronic communications service, and
(b) does so with intent to avoid payment of a charge applicable to the provision of that service,
is guilty of an offence.
This seems clear enough; unfortunately, however, Irish law on the point isn’t as lucid. In an idle moment, I emailed a few lawyers asked them for their opinions. TJ McIntyre pointed to section 99(1) of the Postal and Telecommunications Act, 1983 (also here) which provides:
A person who wilfully causes the company to suffer loss in respect of any rental, fee or charge properly payable for the use of the telecommunications system or any part of the system or who by any false statement or misrepresentation or otherwise with intent to defraud avoids or attempts to avoid payment of any such rental, fee or charge shall be guilty of an offence.
But, as Daithí Mac Síthigh points out on his WiFi Odyssey (a tremendous post, well worth reading), the patchwork of subsequent amendments has made such a mess of this section that it has become terribly obscure, and the best that can be said is that it is, in Daithí’s words, “sort of” an Irish version of the UK’s section 125. As a consequence, Steve Hedley suggested “unlawful use of a computer” (in section 9 of the Criminal Justice (Theft and Fraud Offences) Act, 2001 (also here)) and “criminal damage” (in
Even more interesting questions arise, though, when we turn to consider the potential liability not of the leech but of the router. Let us assume that the leech is piggybacking on the router’s wifi for the purposes of committing a criminal offence or causing harm to a third party (the victim). There is always the risk, of course, that the router will be found guilty of having actually committed the criminal offence in his or her own right (as happened in USA v Perez (US Court of Appeals for the 5th Circuit; 11 April 2007; (pdf)); hat tip The Register via OUT-LAW.com); but these cases will very often run into significant evidential difficulties. More common will be arguments that the router should be made criminally liable for facilitiating the leech’s commission of the criminal offences.
We fear the new. And, in many ways, the internet is still new, wifi newer still. As Lilian Edwards observes (in “The internet and security: do we need a man with a red flag walking in front of every computer?” (2007) 4 (1) SCRIPT-ed 1 (March 2007)), rather like those who feared cars so much that early models had to be preceded by a man walking ahead with a red flag to warn people of the approach of the new-fangled invention, there are now those who would red-flag everything about the internet. And those who fear the new would say that it’s obvious that the router should be liable for the activities of the leech. But is it?
I don’t think so. If you walk up my garden path and then shoot my neighbour over our shared garden wall, I have no legal liability, even/especially if you were trespassing on my garden path at the time. Or, if I lend you my hammer, and you use it not only for some DIY but also to break a window for a robbery, or an assault, or worse. It may have been my hammer, but I am not liable for your criminal acts. Still less would I be liable if you had stolen my hammer (even if I keep it in my toolbox in my garden shed, but neither has a lock, and it’s easy to jump the wall into my garden). Or, say I lend you my car, and you use it as a getaway vehicle from a crime; I am not liable for your crime. Still less if you steal it. Let me labour the point with one more example, closer to this issue: say you steal my mobile phone and commit an offence, say of making threatening phone calls – I am most certainly not liable for that. In all of these examples, when you trespass on my garden path, or steal my hammer or car or phone, I am not liable, just as I would not be if you were to leech my wifi.
Of course, according to section 7(1) of the Criminal Law Act, 1997 (also here):
Any person who aids, abets, counsels or procures the commission of an indictable offence shall be liable to be indicted, tried and punished as a principal offender.
But the cases establish that this secondary liability depends on knowledge by the accessory not only that a crime was going to be, or had been, committed, but also that his or her action assisted in its preparation, commission, or aftermath. It it therefore only where the leech knows that the router wishes to use the wifi for criminal purposes that the router will also be liable under section 7(1) for the leech’s criminal offence.
Nor is the router likely to be directly liable to the victim in private law. It may very well be “an act of folly to leave one’s motor car in the public street, even for a short time, with the keys in the ignition” so that the theft of the car would be reasonably foreseeable, nevertheless the Supreme Court in Breslin v Corcoran [2003] 2 IR 203, [2003] 2 ILRM 189, [2003] IESC 23 (27 March 2003) held that the car owner would not usually owe a duty of care to someone injured by the thief’s negligent driving. Similarly, even if it is an act of folly for the router to leave wifi open, unprotected even by password, the router will not owe a duty of care to the victim of the leech’s activities.
Moreover, I don’t think it is an act of folly for the router to leave wifi open and unprotected. I don’t even think that it is naughty to have an open wireless router. On the contrary, if I have paid for it, I don’t mind others using it too, just as I would allow hillwalkers to the right to roam over hills, if I had any. That is why I found Antoin’s presentation at BarCamp last week so fascinating.
He wondered whether there could be a free lunch (even though, popularly, there ain’t no such thing), or at least free – or even cheap – wifi; and he introduced us to fon, the world’s largest wifi community. Its philosophy is beautifully simple:
At home, with your wireless broadband, you’re a wifi king; but on the road, you’re a wifi beggar. So, share some wifi at home, and get free fon wifi around the world.
Foneros (members of the fon community) use the fonera (a router with two channels) to allow some external access to an open second channel, and in turn have access to such open channels on other foneras on the road. There are various ways to become a member of the community or to pay for access to its open wifi; they have just done a deal for a signficant US roll-out (hat tip: Rebecca MacKinnon); and there are now 100,000 active hotspots on the fon maps. Indeed, some cities are now using fon for municipal wifi (contrast Daithí’s analysis of the situation in Dublin).
I think this is a wonderful idea. Moreover, many of the possible legal problems discussed above fall away with this model. Everyone on fon is registered, and all of the external traffic goes through a second channel, so the evidential issues with anonymous use of open wifi fall away. I look forward to becoming a fonero very soon; and eating lots of free (or at least paid-for-at-home) lunches on the road!
Thanks for the honourable mentions. Something I’m still wondering about (and didn’t answer on my own post) is that if the offence is one that is ‘against’ the ISP – which it would seem to be, certainly in the case of s 99 of the P&T Act, and perhaps also so in the case of s 125 of the British Act – what is the position of the (e.g. broadband) subscriber who chooses to use an open router?
One view of the provisions (which I would not take, but a judge might) is that using open wifi to make use of a broadband subscription without paying for it is a crime. Therefore if I am into Fon (which I would be, if I didn’t access the Web through an academic connection rather than a commercial one!), am I assisting others to evade payment of charges etc and thus also breaking the law? I would hope not – but as I said (in a different context) on my own post, we need clear, flexible statutory language on these points.
(Query: if A is a BT customer and a Fonero and B is using A’s connection, but BT forbids A from sharing by contract, are both A and B rising to the level of dishonesty under s 125 CA 2003?)
Not sure. I’ll have to think about that. Or, I could wait until you’ve worked it out, and then I’ll simply adopt that! An article in the Register tells me both that US law is equally unclear on all of this, and that California has introduced legislation which will force makers of wireless internet equipment to include, from 1 October 2007, guidance on keeping data secure on wireless connections. Oh dear.
Sorry for being slightly tangential but as a follow up to your comment…
I’m sure you’re well aware of the BBC news article on the issue of WEP encryption used in wireless hubs. However if you look into the issue that BT’s wireless hubs that they supply to customers when they signup for broadband is actually defaulted to using the insecure WEP encryption algorithm. This does not bode well when modern laptops can break that form of encryption in under a minute. Surely the legal onus in this case is for the broadband provider to default the wireless setup to a stronger common encryption standard (WPA or WPA2) since they would be otherwise leaving the customer’s connection open for abuse.
That’s my two cents…
In what was probably my first ever attempt to address a legal question online, I examined whether using somebody else’s wifi was a crime.
Update (1 August 2007) from The Register via OUT-LAW:
Following up on the mention of Singapore, I read an interesting overview recently that mentioned the case mentioned in your last paragraph above, and also another case, that of Lin Zhenghuang (AP Report).
The relevant law (Computer Misuse Act) says in s 6(1): “any person who knowingly … secures access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service” which is apparently based on what is now s 342 of the Criminal Code in Canada (and duplicated across a lot of the Commonwealth). It’s a slightly different trend than either the Comms Act 2003 or the Irish mishmash.
I read reports of these two cases, by the way, in this note on Asian developments in Computer Law & Security Report (v 23 p 238 at 245, for anyone following at home).