Thursday, July 28, 2005

Perilous Wifi

I have been using wireless networks for my personal internet use for almost three years now. As with every new technology, you take risks when exploring new areas because you expose your computer to malicious software and users. Using wireless internet connections is no different, but at what point does it become too dangerous that government should get involved and protect citizens?

America has long had laws preventing wire fraud, which the code generally defines as any representation made for personal gain to the detriment of the victim that uses the wires. The "wires" have been interpreted in a number of ways. Initially, the law covered the lines used to transmit communications like telephone lines, or lines that are used to transmit assets between locations like banks. If wire fraud statutes cover criminal activity over telephone lines, it stands to reason that they should also cover transmissions through the internet since the internet uses the "wires." No one will question that society also needs laws to curb socially damaging behavior like malicious hacking. Fundamentally, the aim of internet regulation should be limited to virtual simulacra of crimes that already exist, i.e. damage to property, theft, fraud, embezzlement, slander, solicitation of unlawful sexual activity, etc. Lately, though, some leaders want to control access to the internet.

The basic problem is controlling access to wireless internet connections. Currently, the United States Code lacks any provision that prohibits access to open computer networks. The recent explosion of home wireless internet users provides government with the impetus to begin regulating these networks. It’s important to note that regulations do prevent hackers from accessing private networks, but this raises another significant issue. If the goal of the world wide web is to provide unfettered access to information, Congress should not get in the business of controlling access to open networks. Congress could easily use existing statutes to curb access to open networks by perverting the definition of "private network." This wouldn't be the first example of altering definitions in legislation in order to expand the scope of content statutes cover.

Several months ago, the US Attorney General Gonzalez unilaterally redefined the definition of content under 28 U.S.C. 2257. Initially, 2257 controlled sexual exploitation of minors by requiring business that host adult content register with the federal government that the models on the websites were at least 18 years of age. While noble at the outset, the definition of what content falls into the gamut of 2257 now encompasses content that any web administrator places on a website regardless of its origin because the new definition labels any website host an original proprietor. This means that artistic web forums hosted in the United States that post risqué content have to register their content. Effectively, the statute aims to place the adult industry in an administrative stranglehold, but it manages to swallow communicative content not within the targeted class of websites. Section 2257 provides an example of how dangerous it can be to expand definitions in statutory language.

Altering the definition of "private network" could operate much the same way. Currently, it’s illegal to access a network with restricted access, one not readily accessible by turning on your computer and clicking connect. Many frequent wifi users have had this happen. You are sitting in a public place and you turn your computer. When you get into Windows, your computer alerts you that you have connected to a wireless network, but when you start your web browser, the browser displays an error message. The network your computer has logged into has restricted access which prevents you from accessing the internet. Exploiting the hardware to gain access to the internet fits the definition of illegal access to a private network. All of the hardware on the market now that converts an internet connection into a wireless access point comes with this type of data encryption that limits access to the network. It usually comes in two forms, WEP and MAC restrictions. WEP is a form of data encryption that requires a network specified key to access, much like using a password. MAC restrictions operate differently by identifying the computers accessing the network by their physical address or MAC address. Every wireless card has a unique MAC address, and a wireless gateway can restrict access to a wireless network by only permitting access to computers with MAC addresses added to a list by the network administrator. While it sounds confusing, the point is simple. The hardware already provides the user with the option of restricting access to home-based wifi networks by offering both of these security options. What, then, is the point of having legislation that would expand the definition of "private network"?

For the purposes of this thought experiment, the new definition of private network includes wireless network signals owned and operated by private individuals for their personal use. As uninteresting and harmless as that sounds, the definition is sufficiently ambiguous to include any wireless signals broadcast for personal use regardless of whether the owner has restricted access to the network. This would mean that every time you fire up your computer and log into a network that is not your own you have just violated a federal law, regardless of whether that network has restricted access. While absurd at first glance, the policy behind these restrictions is still compelling.

Most people transact a large amount of sensitive business over the internet. Wireless signals put all that information up in the air, literally. Moreover, once this information is flying through the air, it can be intercepted by other users. Many websites handling such sensitive information have started to use encryption to prevent the theft of this information. That theft is a crime known as identity theft, and it qualifies as a type of aforementioned fraud. Making it illegal to access private networks under the extended definition would provide a deterrent for anyone accessing an unrestricted wireless network by sweeping them into a class of criminals despised by almost every internet user. While restricting access to these networks aims to prevent identity theft, it also sweeps a large number of innocent users into the arena of federal criminal prosecution for something as simple as turning on your computer.

Windows promotes wifi usage by automatically connecting to networks. Similarly, the manufactures provide users the ability to restrict access to there personal networks making them truly private. The best policy to avoid pointless prosecution of accidental access and promote the use of the internet would be to leave the law as it currently stands, adopting a "use at your own risk" policy. An analogy is the doctrine of caveat emptor under contract law, or in other words, "buyer beware."

Expanding these laws creates an unnecessary burden on internet users. While the privacy and theft concerns still exist, the ability to protect ones self are built into the hardware that runs the infrastructure. A better way to combat the problem is to produce more educational materials that teach people to protect themselves, or provide incentives to software manufacturers to create programs that make network encryption extremely user friendly. There are better options than allowing the federal government to control the way we use the internet in this manner. Personally, I would rather the government spend their time on more fruitful pursuits.

No comments: