Oh, God By Scott Shapiro and Alison Mackeen
A Vast Right-Wing Conspiracy By Jonathan H. Adler
License to Wardrive By Brendan I. Koerner
License to Wardrive
Searching for wireless Internet connections is legal. Using them isn't.
IF YOU'VE EVER BOOTED UP YOUR LAPTOP, scanned the area for unsecured wireless networks, and hopped onto the Internet on someone else's dime, you're a thief.
Swiping a little connectivity may be a relatively benign crime, and the victim likely won't know he's being victimized. Yet given that cable modem or DSL service contracts usually forbid subscribers from sharing bandwidth with strangers, it's technically illegal. That's the case whether the owner of the wireless network made the conscious decision to open his connection to all comers, or whether he doesn't realize that any passerby with a wireless card can leech off his bandwidth.
But that clear prohibition against stealing a connection can get fuzzy. What if you're only checking to see whether a network is open for all comers, and then you pass that information along to a friend? Or what if you publish the network's location on a website, so that anyone who swings by can log on, perhaps for illicit purposes?
Defining the difference between criminal trespass and mere curiosity is Patrick S. Ryan's goal in his Virginia Journal of Law & Technology article entitled "War, Peace, or Stalemate: Wargames, Wardialing, Wardriving, and the Emerging Market for Hacker Ethics."
The "wardriving" of the paper's title refers to the practice of using "wireless sniffers"network detection softwareto seek out unsecured networks. The term, Ryan explains, is a descendant of "wardialing," a 1980s hacker pastime in which modem-equipped computers were programmed to cold-call thousands of numbers. As depicted in the 1983 movie WarGames, the modem would occasionally hit upon a number used by a computer network to connect to the outside world. The wardialer would note the details of that network, like the name of the company that owned it or whether it was password-protected. Then he would share that information with other wardialers, usually via electronic bulletin boards or magazines like Phrack. Hackers who happened upon the info might use it for nefarious purposes, like tapping into a private network, but the wardialers themselves made sure to caution against such behavior.
Ryan correctly argues that most forms of wardialing are legal, since the perpetrators usually only record and post information that is freely available without cracking any passwords or circumventing other security measures. It's the difference between breaking into a store and noting that the store's front door features Medeco locks. He writes that several states have explicitly excluded wardialing from their definitions of "computer trespass," since criminal intent isn't expressed in noting where networks exist.
But Ryan also falls for a bit of hacker propaganda when he repeats the oft-used analogy between wardialers and "self-appointed neighborhood watchmen who police an area looking for security breaches." Hackers have been using this self-congratulatory line since at least the 1970s, contending that their publication of vulnerabilities forces system administrators into improving security.
That's true for large-scale networks or software vendors, who pay attention to such matters, and it was probably true for most of the victims of wardialing. But what about a private citizen whose technical savvy stretches no farther than checking stock quotes on AOL? Is he likely to troll newsgroups in order to find evidence that his home computer can be compromised? As Ryan observes, few people would be happy if a self-appointed watchman were to test their door locks uninvited, and then post online a list of insecure houses.
RYAN IS MORE REALISTIC ABOUT THE MOTIVES of wardrivers, the mobile descendants of the wardialers. He breaks down this new hacker community into three camps: those who want free wireless access, those who want to sell their security services to owners of unsecured networks, and a small group with malicious intentions. Since over half the world's Wi-Fi networks are unprotected, and with wardriving databases listing over 2.25 million networks worldwide, there's no shortage of access points to choose from.
This is where Ryan delves into a lengthy, somewhat drab argument for the legality of wardriving. Not that he isn't convincing: He dredges up several cases, as well as an FBI memorandum, that pretty clearly show that doing no more than noting a wireless network's location won't lead to anyone's conviction.
Yet there's something frustratingly academic about Ryan's rhetorical gymnastics in support of wardriving's legality. As he admits, "the premise that wardriving is legal relies on a narrowly construed and somewhat arcane distinction between viewing or recording the existence of open networks and accessing those networks." Yes, wardriving may be legal as a result of legal hairsplitting, but who cares? As Ryan acknowledges, wardrivers know that they're abetting the covert use of Wi-Fi connections by unauthorized people. So should wardrivers be considered accessories to computer trespass?
Sharing information on network vulnerabilities without apprising the network owner of the problem could amount to what is commonly referred to as "crime facilitating speech." This concept has been a hot topic in academic circles lately, as scholars question whether the First Amendment was intended to protect speech that makes it easier to commit illegal acts. Unfortunately, Ryan never explores this issue. Instead, he focuses on the need for a widespread code of ethics for hackers, a tangent that takes him far off topic. He tries to outline the 20-year evolution of hacker ethics, arguing that the formerly anarchic computer underground now recognizes the need for a uniform code of ethics. That's all well and good, but it misses the point of the wardriving phenomenon.
For one, wardriving differs from wardialing in that the end user of the information is likely to be an average Joe. Windows XP's built-in Wi-Fi sniffer has democratized wireless hacking, so that even computerphobes can figure out where to find an access point. Tell an ordinary computer user that there's an open dial-up network somewhere, and he wouldn't have the foggiest idea how to exploit that vulnerability. But tell him that there's an open Wi-Fi network, and he knows enough to let his Windows XP laptop sniff out the location and log him on automatically. Because this user doesn't consider himself a hacker, he presumably wouldn't be bound by or even aware of the culture's guidelines inveighing against such activity.
Furthermore, Ryan gives too much credence to several laughably ineffectual codes of wardriving ethics. He notes, for example, that the Stumbler Code of Ethics v0.2, written by a wardriver who goes by the nickname Renderman, "warns people 'never to connect' to open networks and suggests that wardrivers adopt the 'hiker motto' of 'take only pictures, leave only footprints.' " That's a nice sentiment, but I doubt that anyone apart from a few veteran wardrivers takes it seriously.
As a result, Ryan's plea for "hacker self-regulation" sounds a wee bit archaic, not to mention idealistic. There is a hacker elite that takes its subversive responsibilities quite seriously, but it's Pollyannaish to believe that all hackers would comply with a code of conductthis is a culture that embraces the philosophy of anarchism, and so is generally hostile to anything that smacks of order. Besides, there is no club to be kicked out of, and no job to lose, for violating the code of ethics.
RYAN DOES A BETTER JOB IN CALLING for Wi-Fi equipment providers to assume some of the responsibility for the woeful state of wireless Internet security. He makes the salient point that these companies have done a poor job of educating consumers about how to secure their networks, and may be exposed to civil action as a result. It is hard to believe that the Linksys and Netgears of the world can't better streamline their security processes, or even turn on encryption schemes by default.
But while making this important observation, Ryan falls back onto his rote conclusion that hackers aren't bad guysthey're just curious. The hackers-as-friendly-vigilantes theme has been around for years, perpetuated by journalists who want to romanticize the computer underground, as well as suck up to their 17-year-old sources. Ryan does try to argue that wardrivers are merely trying to alert network owners to security holes, and that "the neighborhood watchman should not be punished for kindly warning her neighbor that his door is unlocked." Agreed, but Ryan can't believe that this is the sole intent of wardrivers, particularly since he argues elsewhere in the article that most of them generally want to sneak a little free Wi-Fi access. I would be interested in hearing how many wardrivers have knocked on the doors of Wi-Fi network owners and said, "Hey, just wanted to let you know that your connection is open."
I'm betting it's far fewer than the number of wardrivers who've used the information to hop on the Internet. And it's certainly fewer than the number of people who've been tipped off to Wi-Fi hotspots by wardriving friends, or their Windows XP sniffer, and then enjoyed free Internet access. These peoplemyself includedare almost certainly breaking the law, since we're accessing those networks, rather than noting their location. Wardriving is legal, in Ryan's view, assuming people don't access what they find. But virtually no one refrains from doing so.
A more provocative article on the wardriving phenomenon, then, has yet to be writtenone on whether wardrivers are legally liable for how their information is used, especially by malicious endusers. Though "War, Peace, or Stalemate" is marred by some naïve views about both hackers and ordinary computer users, I nominate the obviously knowledgeable and diligent Ryan for the task.