Legality of piggybacking
Encyclopedia
Laws regarding "unauthorized access of a computer network
" exist in many legal codes, including the U.S. federal government, all 50 U.S. state
s, and other countries, though the wording and meaning differ from one to the next. However, the interpretation of terms like "access" and "authorization" is not clear, and there is no general agreement on whether piggybacking
(intentional access of an open Wi-Fi
network without harmful intent) falls under this classification. Some jurisdictions prohibit it, some permit it, and others are not well-defined.
For example, a common but untested argument is that the 802.11 and DHCP
protocols operate on behalf of the owner, implicitly requesting permission to access the network, which the wireless router
then authorizes. (This would not apply if the user has other reason to know that their use is unauthorized, such as a written or unwritten notice.)
In addition to laws against unauthorized access on the user side, there are the issues of breach of contract
with the Internet service provider
on the network owner's side. Many terms of service
prohibit bandwidth sharing with others, though others allow it. The Electronic Frontier Foundation
maintains a list of ISPs that allow sharing of the Wi-Fi signal.
. According to Section 342.1, "Every one who, fraudulently and without colour of right
" obtains "computer services" from an access point is subject to criminal charges. (See Criminal Code of Canada, RSC 1985, c. C-46, s. 342.1 (1) (a))
Section 326 may also be used to address unauthorized access of a computer network. '(1) Every one commits theft who fraudulently, maliciously, or without colour of right
', '(b) uses any telecommunication facility or obtains any telecommunication service.'
In Toronto
in 2003, a man was arrested with a Wi-Fi enabled laptop in his car, partially undressed. He was tapping into unprotected wireless networks to download child pornography
. Ultimately, however, he was charged not for piggybacking
, but for the pornography instead.
In Morrisburg, Ontario in 2006, a man was arrested under section 326 of the Criminal Code of Canada. Ultimately the arrest was poorly reported, there does not seem to be any information available with regards to conviction.
5,000 bond if he failed to abide by the ban. Tan was also given the option of enlisting early for National Service
. If he did so, he would not have to serve whatever remained of his sentence.
On 4 January 2007, Lin Zhenghuang was charged for using his neighbour's unsecured wireless network to post a bomb hoax online. In July 2005, Lin had posted a message entitled "Breaking News – Toa Payoh
Hit by Bomb Attacks" on a forum managed by HardwareZone
. Alarmed by the message, a user reported it to the authorities through the Government of Singapore
's eCitizen website. Lin faced an additional 60 charges for having used his notebook computer to repeatedly access the wireless networks of nine people in his neighborhood. Lin pleaded guilty to one charge under the Telecommunications Act and another nine under the Computer Misuse Act on 31 January. He apologised for his actions, claiming he had acted out of "stupidness" and not due to any "malicious or evil intent". On 7 February he was sentenced by District Judge Francis Tseng to three months' jail and a S$4,000 fine. The judge also set sentencing guidelines for future 'mooching' cases, stating that offenders would be liable to fines and not to imprisonment unless offences were "committed in order to facilitate the commission of or to avoid detection for some more serious offence", as it was in Lin's case.
, section 1 reads:
In London
, 2005, Gregory Straszkiewicz was the first person to be convicted of a related crime, "dishonestly obtaining an electronics communication service" (under s.125 Communications Act 2003
). Local residents complained that he was repeatedly trying to gain access to residential networks with a laptop from a car. There was no evidence that he had any other criminal intent. He was fined £500 and given a 12-month conditional discharge
.
In early 2006, two other individuals were arrested and received an official caution for "dishonestly obtaining electronic communications services with intent to avoid payment."
Some portable devices, such as the Apple iPad
and iPod touch
, allow casual use of open Wi-Fi networks as a basic feature, and often identify the presence of specific access points within the vicinity for user geolocation
.
, 2005, Benjamin Smith III was arrested and charged with "unauthorized access to a computer network", a third-degree felony in the state of Florida
, after using a resident's wireless network from a car parked outside.
An Illinois
man was arrested in January 2006 for piggybacking on a Wi-Fi
network. David M. Kauchak was the first person to be charged with "remotely accessing another computer system" in Winnebago County
. He had been accessing the Internet through a nonprofit agency's network from a car parked nearby and chatted with the police officer about it. He pleaded guilty and was sentenced to a fine of $250 and one year of court supervision.
In Sparta, Michigan
, 2007, Sam Peterson was arrested for checking his email each day using a cafe's wireless Internet access from a car parked nearby. A police officer became suspicious, stating, "I had a feeling a law was being broken, but I didn't know exactly what". The man explained what he was doing to the officer when asked, as he did not know that the act was illegal. The officer found a law against "unauthorized use of computer access", leading to an arrest and charges that could result in a five year felony and $10,000 fine. The cafe owner was not aware of the law, either. "I didn't know it was really illegal, either. If he would have come in [to the coffee shop] it would have been fine." They did not press charges, but he was eventually sentenced to a $400 fine and 40 hours of community service. This case was featured on the Colbert Report.
In 2007, Palmer, Alaska
, 21-year old Brian Tanner was charged with "theft of services" and had his laptop confiscated after accessing a gaming website at night from the parking lot outside the Palmer Public Library, as he was allowed to do during the day. He had been asked to leave the parking lot the night before by police, which he had started using because they had asked him not to use residential connections in the past. He was not ultimately charged with theft, but could still be charged with trespassing or not obeying a police order. The library director said that Tanner had not broken any rules, and local citizens criticized police for their actions.
House Bill 495 was proposed, which would clarify that the duty to secure the wireless network lies with the network owner, instead of criminalizing the automatic access of open networks. It was passed by the New Hampshire House in March 2003, but was not signed into law. The current wording of the law provides some affirmative defense
s for use of a network that is not explicitly authorized:
There are additional provisions in the NH law, Section 638:17 Computer Related Offenses, as found by searching NH RSA's in December 2009. They cover actual use of someone else's computer rather than simply 'access':
New York
law is the most permissive. The statute against unauthorized access only applies when the network "is equipped or programmed with any device or coding system, a function of which is to prevent the unauthorized use of said computer or computer system". In other words, the use of a network would only be considered unauthorized and illegal if the network owner had enabled encryption or password protection and the user bypassed this protection, or when the owner has explicitly given notice that use of the network is prohibited, either orally or in writing. Westchester County
passed a law, taking effect in October 2006, that prohibits commercial networks from being operated without a firewall, SSID
broadcasting disabled, and a non-default SSID, in an effort to fight identity theft
. Businesses that do not secure their networks in this way face a $500 fine. The law has been criticized as being ineffectual against actual identity thieves and punishing businesses like coffee houses for normal business practices.
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
" exist in many legal codes, including the U.S. federal government, all 50 U.S. state
U.S. state
A U.S. state is any one of the 50 federated states of the United States of America that share sovereignty with the federal government. Because of this shared sovereignty, an American is a citizen both of the federal entity and of his or her state of domicile. Four states use the official title of...
s, and other countries, though the wording and meaning differ from one to the next. However, the interpretation of terms like "access" and "authorization" is not clear, and there is no general agreement on whether piggybacking
Piggybacking (internet access)
Piggybacking on Internet access is the practice of establishing a wireless Internet connection by using another subscriber's wireless Internet access service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary by...
(intentional access of an open Wi-Fi
Wi-Fi
Wi-Fi or Wifi, is a mechanism for wirelessly connecting electronic devices. A device enabled with Wi-Fi, such as a personal computer, video game console, smartphone, or digital audio player, can connect to the Internet via a wireless network access point. An access point has a range of about 20...
network without harmful intent) falls under this classification. Some jurisdictions prohibit it, some permit it, and others are not well-defined.
For example, a common but untested argument is that the 802.11 and DHCP
Dynamic Host Configuration Protocol
The Dynamic Host Configuration Protocol is a network configuration protocol for hosts on Internet Protocol networks. Computers that are connected to IP networks must be configured before they can communicate with other hosts. The most essential information needed is an IP address, and a default...
protocols operate on behalf of the owner, implicitly requesting permission to access the network, which the wireless router
Wireless router
A Wireless router is a device that performs the functions of a router but also includes the functions of a wireless access point and a network switch. They are commonly used to allow access to the Internet or a computer network without the need for a cabled connection. It can function in a wired...
then authorizes. (This would not apply if the user has other reason to know that their use is unauthorized, such as a written or unwritten notice.)
In addition to laws against unauthorized access on the user side, there are the issues of breach of contract
Breach of contract
Breach of contract is a legal cause of action in which a binding agreement or bargained-for exchange is not honored by one or more of the parties to the contract by non-performance or interference with the other party's performance....
with the Internet service provider
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
on the network owner's side. Many terms of service
Terms of service
Terms of service are rules which one must agree to abide by in order to use a service. Unless in violation of consumer protection laws, such terms are usually legally binding...
prohibit bandwidth sharing with others, though others allow it. The Electronic Frontier Foundation
Electronic Frontier Foundation
The Electronic Frontier Foundation is an international non-profit digital rights advocacy and legal organization based in the United States...
maintains a list of ISPs that allow sharing of the Wi-Fi signal.
Australia
Under Australian Law, "unauthorized access, modification or impairment" of data held in a computer system is a federal offence under the Criminal Code Act 1995. The act refers specifically to data as opposed to network resources (connection).Canada
In Canadian law, unauthorized access is addressed by Section 342.1 of the Criminal Code of CanadaCriminal Code of Canada
The Criminal Code or Code criminel is a law that codifies most criminal offences and procedures in Canada. Its official long title is "An Act respecting the criminal law"...
. According to Section 342.1, "Every one who, fraudulently and without colour of right
Colour of right
Colour of right is the legal concept in the UK and other Commonwealth countries of an accused's permission to the usage or conversion of an asset in the possession of another. In New Zealand Crime's Act, colour of right "means an honest belief that an act is justifiable..."...
" obtains "computer services" from an access point is subject to criminal charges. (See Criminal Code of Canada, RSC 1985, c. C-46, s. 342.1 (1) (a))
Section 326 may also be used to address unauthorized access of a computer network. '(1) Every one commits theft who fraudulently, maliciously, or without colour of right
Colour of right
Colour of right is the legal concept in the UK and other Commonwealth countries of an accused's permission to the usage or conversion of an asset in the possession of another. In New Zealand Crime's Act, colour of right "means an honest belief that an act is justifiable..."...
', '(b) uses any telecommunication facility or obtains any telecommunication service.'
In Toronto
Toronto
Toronto is the provincial capital of Ontario and the largest city in Canada. It is located in Southern Ontario on the northwestern shore of Lake Ontario. A relatively modern city, Toronto's history dates back to the late-18th century, when its land was first purchased by the British monarchy from...
in 2003, a man was arrested with a Wi-Fi enabled laptop in his car, partially undressed. He was tapping into unprotected wireless networks to download child pornography
Child pornography
Child pornography refers to images or films and, in some cases, writings depicting sexually explicit activities involving a child...
. Ultimately, however, he was charged not for piggybacking
Piggybacking
Piggybacking may refer to:*Piggy-back , something that is riding on the back of something else*Piggybacking , when an authorized person allows others to pass through a secure door...
, but for the pornography instead.
In Morrisburg, Ontario in 2006, a man was arrested under section 326 of the Criminal Code of Canada. Ultimately the arrest was poorly reported, there does not seem to be any information available with regards to conviction.
Hong Kong
Under HK Laws. Chapter 200 Crimes Ordinance Section 161 Access to computer with criminal or dishonest intent:Singapore
In November 2006, the 17 year old Garyl Tan Jia Luo, was arrested for tapping into his neighbour's wireless Internet connection. He faced up to three years' imprisonment and a fine under the Computer Misuse Act. On 19 December, Tan pleaded guilty to the charge, and on 16 January 2007 he became the first person in Singapore to be convicted of the offense. He was sentenced by the Community Court to 18 months' probation, half of which was to be served at a boys' home. For the remaining nine months, he had to stay indoors from 10:00 pm to 6:00 am. He was also sentenced to 80 hours of community service and banned from using the Internet for 18 months; his parents risked forfeiting a S$Singapore dollar
The Singapore dollar or Dollar is the official currency of Singapore. It is normally abbreviated with the dollar sign $, or alternatively S$ to distinguish it from other dollar-denominated currencies...
5,000 bond if he failed to abide by the ban. Tan was also given the option of enlisting early for National Service
National Service in Singapore
Conscription in Singapore, called National Service , requires all male Singaporean citizens and second-generation permanent residents who have reached the age of 18 to enrol in the military...
. If he did so, he would not have to serve whatever remained of his sentence.
On 4 January 2007, Lin Zhenghuang was charged for using his neighbour's unsecured wireless network to post a bomb hoax online. In July 2005, Lin had posted a message entitled "Breaking News – Toa Payoh
Toa Payoh
Toa Payoh is a district located in the Central Region of Singapore. It commonly refers to the Housing and Development Board housing estate of Toa Payoh New Town, one of the earliest satellite public housing estates in Singapore....
Hit by Bomb Attacks" on a forum managed by HardwareZone
HardwareZone
HardwareZone is an IT-oriented Internet portal based in Singapore. It is operated by Hardware Zone Private Limited, which is a wholly owned subsidiary of Singapore Press Holdings...
. Alarmed by the message, a user reported it to the authorities through the Government of Singapore
Government of Singapore
The Government of Singapore is defined by the Constitution of the Republic of Singapore to mean the Executive branch of government, which is made up of the President and the Cabinet of Singapore. Although the President acts in his personal discretion in the exercise of certain functions as a check...
's eCitizen website. Lin faced an additional 60 charges for having used his notebook computer to repeatedly access the wireless networks of nine people in his neighborhood. Lin pleaded guilty to one charge under the Telecommunications Act and another nine under the Computer Misuse Act on 31 January. He apologised for his actions, claiming he had acted out of "stupidness" and not due to any "malicious or evil intent". On 7 February he was sentenced by District Judge Francis Tseng to three months' jail and a S$4,000 fine. The judge also set sentencing guidelines for future 'mooching' cases, stating that offenders would be liable to fines and not to imprisonment unless offences were "committed in order to facilitate the commission of or to avoid detection for some more serious offence", as it was in Lin's case.
United Kingdom
The Computer Misuse Act 1990Computer Misuse Act 1990
The Computer Misuse Act 1990 is an Act of the Parliament of the United Kingdom, introduced partly in response to the decision in R v Gold & Schifreen 1 AC 1063 . Critics of the bill complained that it was introduced hastily and was poorly thought out...
, section 1 reads:
In London
London
London is the capital city of :England and the :United Kingdom, the largest metropolitan area in the United Kingdom, and the largest urban zone in the European Union by most measures. Located on the River Thames, London has been a major settlement for two millennia, its history going back to its...
, 2005, Gregory Straszkiewicz was the first person to be convicted of a related crime, "dishonestly obtaining an electronics communication service" (under s.125 Communications Act 2003
Communications Act 2003
The Communications Act 2003 is an Act of the Parliament of the United Kingdom. It gave regulation body Ofcom its full powers. Among other measures, it introduced legal recognition of Community Radio and paved the way for full-time Community Radio services in the UK; as well as controversially...
). Local residents complained that he was repeatedly trying to gain access to residential networks with a laptop from a car. There was no evidence that he had any other criminal intent. He was fined £500 and given a 12-month conditional discharge
Conditional discharge
A discharge is a type of sentence where no punishment is imposed. An absolute discharge is unconditional: the defendant is not punished, and the case is over. In some jurisdictions, an absolute discharge means there is no conviction despite a finding that the defendant is guilty...
.
In early 2006, two other individuals were arrested and received an official caution for "dishonestly obtaining electronic communications services with intent to avoid payment."
United States
Laws vary widely between states. Some criminalize the mere unauthorized access of a network, while others require monetary damages or intentional breaching of security features. The majority of state laws do not specify what is meant by "unauthorized access". Regardless, enforcement is minimal in most states even where it is illegal, and detection is difficult in many cases.Some portable devices, such as the Apple iPad
IPad
The iPad is a line of tablet computers designed, developed and marketed by Apple Inc., primarily as a platform for audio-visual media including books, periodicals, movies, music, games, and web content. The iPad was introduced on January 27, 2010 by Apple's then-CEO Steve Jobs. Its size and...
and iPod touch
IPod touch
The iPod Touch is a portable media player, personal digital assistant, handheld game console, and Wi-Fi mobile device designed and marketed by Apple Inc. The iPod Touch adds the multi-touch graphical user interface to the iPod line...
, allow casual use of open Wi-Fi networks as a basic feature, and often identify the presence of specific access points within the vicinity for user geolocation
Geolocation
Geolocation is the identification of the real-world geographic location of an object, such as a radar, mobile phone or an Internet-connected computer terminal...
.
Arrests
In St. PetersburgSt. Petersburg, Florida
St. Petersburg is a city in Pinellas County, Florida, United States. It is known as a vacation destination for both American and foreign tourists. As of 2008, the population estimate by the U.S. Census Bureau is 245,314, making St...
, 2005, Benjamin Smith III was arrested and charged with "unauthorized access to a computer network", a third-degree felony in the state of Florida
Florida
Florida is a state in the southeastern United States, located on the nation's Atlantic and Gulf coasts. It is bordered to the west by the Gulf of Mexico, to the north by Alabama and Georgia and to the east by the Atlantic Ocean. With a population of 18,801,310 as measured by the 2010 census, it...
, after using a resident's wireless network from a car parked outside.
An Illinois
Illinois
Illinois is the fifth-most populous state of the United States of America, and is often noted for being a microcosm of the entire country. With Chicago in the northeast, small industrial cities and great agricultural productivity in central and northern Illinois, and natural resources like coal,...
man was arrested in January 2006 for piggybacking on a Wi-Fi
Wi-Fi
Wi-Fi or Wifi, is a mechanism for wirelessly connecting electronic devices. A device enabled with Wi-Fi, such as a personal computer, video game console, smartphone, or digital audio player, can connect to the Internet via a wireless network access point. An access point has a range of about 20...
network. David M. Kauchak was the first person to be charged with "remotely accessing another computer system" in Winnebago County
Winnebago County, Illinois
Winnebago County is a county located in the U.S. state of Illinois. According to the 2010 census, it has a population of 295,266, which is an increase of 6.1% from 278,418 in 2000...
. He had been accessing the Internet through a nonprofit agency's network from a car parked nearby and chatted with the police officer about it. He pleaded guilty and was sentenced to a fine of $250 and one year of court supervision.
In Sparta, Michigan
Sparta, Michigan
Sparta is a village in Kent County in the U.S. state of Michigan. The population was 4,159 at the 2000 census. The village resides in Sparta Township.-History:...
, 2007, Sam Peterson was arrested for checking his email each day using a cafe's wireless Internet access from a car parked nearby. A police officer became suspicious, stating, "I had a feeling a law was being broken, but I didn't know exactly what". The man explained what he was doing to the officer when asked, as he did not know that the act was illegal. The officer found a law against "unauthorized use of computer access", leading to an arrest and charges that could result in a five year felony and $10,000 fine. The cafe owner was not aware of the law, either. "I didn't know it was really illegal, either. If he would have come in [to the coffee shop] it would have been fine." They did not press charges, but he was eventually sentenced to a $400 fine and 40 hours of community service. This case was featured on the Colbert Report.
In 2007, Palmer, Alaska
Palmer, Alaska
Palmer is the borough seat of the Matanuska-Susitna Borough in the state of Alaska, USA. It is part of the Anchorage Metropolitan Statistical Area. As of the 2010 census, the population of the city is 5,937....
, 21-year old Brian Tanner was charged with "theft of services" and had his laptop confiscated after accessing a gaming website at night from the parking lot outside the Palmer Public Library, as he was allowed to do during the day. He had been asked to leave the parking lot the night before by police, which he had started using because they had asked him not to use residential connections in the past. He was not ultimately charged with theft, but could still be charged with trespassing or not obeying a police order. The library director said that Tanner had not broken any rules, and local citizens criticized police for their actions.
Legislation
In 2003, the New HampshireNew Hampshire
New Hampshire is a state in the New England region of the northeastern United States of America. The state was named after the southern English county of Hampshire. It is bordered by Massachusetts to the south, Vermont to the west, Maine and the Atlantic Ocean to the east, and the Canadian...
House Bill 495 was proposed, which would clarify that the duty to secure the wireless network lies with the network owner, instead of criminalizing the automatic access of open networks. It was passed by the New Hampshire House in March 2003, but was not signed into law. The current wording of the law provides some affirmative defense
Affirmative defense
A defendant offers an affirmative defense when responding to a plaintiff's claim in common law jurisdictions, or, more familiarly, in criminal law. Essentially, the defendant affirms that the condition is occurring or has occurred but offers a defense that bars, or prevents, the plaintiff's claim. ...
s for use of a network that is not explicitly authorized:
There are additional provisions in the NH law, Section 638:17 Computer Related Offenses, as found by searching NH RSA's in December 2009. They cover actual use of someone else's computer rather than simply 'access':
New York
New York
New York is a state in the Northeastern region of the United States. It is the nation's third most populous state. New York is bordered by New Jersey and Pennsylvania to the south, and by Connecticut, Massachusetts and Vermont to the east...
law is the most permissive. The statute against unauthorized access only applies when the network "is equipped or programmed with any device or coding system, a function of which is to prevent the unauthorized use of said computer or computer system". In other words, the use of a network would only be considered unauthorized and illegal if the network owner had enabled encryption or password protection and the user bypassed this protection, or when the owner has explicitly given notice that use of the network is prohibited, either orally or in writing. Westchester County
Westchester County, New York
Westchester County is a county located in the U.S. state of New York. Westchester covers an area of and has a population of 949,113 according to the 2010 Census, residing in 45 municipalities...
passed a law, taking effect in October 2006, that prohibits commercial networks from being operated without a firewall, SSID
Service set identifier
A service set is all the devices associated with a local or enterprise IEEE 802.11 wireless local area network .-Service set identifier :...
broadcasting disabled, and a non-default SSID, in an effort to fight identity theft
Identity theft
Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...
. Businesses that do not secure their networks in this way face a $500 fine. The law has been criticized as being ineffectual against actual identity thieves and punishing businesses like coffee houses for normal business practices.