-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Apr 28, 2007, at 12:33 PM, Richard M. Smith wrote:
The Starbucks case is one for the lawyers to sort out if private WiFi
network is readily accessible to the general public or not.
It's not a "private" WiFi network, Richard; it's unencrypted with
SSID broadcast on and accessible to anyone within the vicinity of a
Starbucks -- note, not necessarily inside. Unencrypted = public, in
most cases, and surveillance is certainly one of them. If you want
an affirmative claim to support prosecution of an ECPA/Section 632
violation, you have to encrypt the network's traffic. Even WEP has
value, in the eyes of the law, because it shows a network provider
who took an affirmative action to demonstrate to would-be users an
expectation that the privacy of the network is to be respected.
My assumption
is no. One data point here is intercepting insecure cordless phone
conversations is illegal under ECPA even though older cordless
phones can be
heard with a $100 Radio Shack scanner.
Yes, because cordless phone conversations are explicitly considered
"confidential communications" under both ECPA and the relevant
California penal code. However, the criteria of ECPA for what is
considered public among other, non-excepted communications is pretty
solid:
1. Encrypted
Not true in the case of Starbucks -- open authentication with no data
encryption
2. Transmitted using non-public modulation techniques
Given that 802.11b/g are spec'ed out in IEEE standards documents, I
don't see this holding up. Furthermore, Starbucks' network
broadcasts its SSID.
3. Carried on a subsidiary carrier
802.11 as implemented by Starbucks is inherently point-to-point, up
until it reaches the AP and hits a wired line.
4. Transmitted over a common carrier network
Internet providers are not CCs, as the net neutrality debate
illustrates plainly
5. Transmitted over certain regulated frequency classes
It's well-known that the frequency range for 802.11 is not regulated
and can be used for any functional purpose.
802.11 with SSID broadcast and no encryption is NOT confidential
under ECPA, period. The network is clearly "readily accessible to
the general public", both in letter and in spirit of the law.
California penal code also doesn't apply, because it requires a
reasonable expectation of confidentiality, except in certain classes
of communications like cordless phones. When users connect to an
open WiFi LAN, they typically must affirm at least once that their
communications are subject to interception if not encrypted. Thus,
no reasonable expectation of privacy/confidentiality could be
established for the purposes of Section 632, either, unless perhaps
the transmitter was an illiterate -- good luck explaining *that* to a
judge.
You don't really think the paper would've published this story
if it
would've subjected an individual identified within to criminal
prosecution, do you?
Absolutely. Back around 2003, the Washington Post did an article
on how
easy was for two computer security people to break into Windows
computers
owned by the Federal government. These computers had open shares
which were
easily detectable from the outside. A week later the two
consultants were
busted by the FBI. Not sure what the result of the arrests were.
Seems like another case of the administration pursuing a hopeless
criminal case (e.g., terrorism charges against cell-phone
unlockers). Unless the consultants were informed via warning banners
or some other means that the resources they were accessing were for
government use only, they have neither achieved unauthorized access
nor exceeded their authorization. I was unable to find any
information suggesting that the consultant who was charged was ever
convicted.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQIVAwUBRjOstXXzqEAiV8M/AQLdmQ//eZwQx5kau9c5vXy5ZFc/nQlfv5mszxde
MHgb8OJZUfMZHEJ8sVBS8lI+1zBV5tmjO42xYaibDs6GThmv2AScVTvsialUJUbl
0YnXyvkj1wo3Cwoyld11015Vhkh6xlNqGtYjflweHq96Ee9NK5wa9BtOLU4QYuW0
yGRVEmKnwLJFjJvbaNb1TjV+rpAyhnft+7zPB7PgN8V5k0LwZji/Das7bzrXwBQK
LJh1C86jUkgU38TTNtaH5RCgTZEemv92xGGL7jbIbmOO+Xyyv/LOGmfCBhz/oDiB
dXZ3/bcn1vkPkVQZ4kqoF3dxZC/I1aLut09G2CyuUKUUDtH+LkiFcAYazWa3/U0i
6M9dxTT1pxcPZ8G4DuFrdObfbZTtXDxXZynZsFt7Ha0AtnDiqip803vzbz3WH87v
ufRCZOM2AspdRaIzRFiw/F3S9RIsOtAOczvnNh+/Rchc3JZwHIe82Da2Z8zU3BBA
8H9SXEEI9/MCMCQv/y6Smb73aWn3mml2KmVRkMcPIqngCziGUvEp8/hivPGb7O0k
mojT4u3eOx2Dox3qQnP6oxJeYEYQLeywUqxTRFsGPYHr6J8vL8sWpeBMDEK49KqJ
ISW5chxhFCtPtDXMIzncYzwC1xQLahYASS5zTbMzsQrKv6rOzreLtKoXfb6PW/HY
Ds0Vxg/Vvfk=
=4DQJ
-----END PGP SIGNATURE-----
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
