Wednesday, May 04, 2011

Downstream liability problems could exist in other areas: how about home routers?

Back on March 9, my “Internet Safety” blog reported a case in Florida where a man was arrested when someone poached on his wireless router from hundreds of yards away for criminal purposes.  NPR reports on some more cases, including a recent one in April 2011, from New York State, link here

It is the misuse of the router signal that is the issue, not the misuse of the homeowner’s personal computer, which has usually been the case in “false prosecution” problems in the past.  The home user would see no symptoms that her signal was being used (except possibly a slower response).  Antivirus software has nothing to do with this problem; knowledge of how routers work does.

There is debate over whether the lack of passwords or easily cracked pw’s is an issue, or whether hackers could get at any publicly located network (which users may not know how to mask, as in the article).
There’s a philosophical debate, as to how “open” WiFi access should be. Not very open, if downstream, liability is an issue.

In Germany, home users are held criminally responsible if they leave home routers unsecured and others use them.  In the United States, it seems more a matter of heavy handed law enforcement that sometimes is unaware that outside hacking of unsecure routers can occur.  As in most instances of “shoot first, ask questions later” (and lack of due process), home users could have computers seized and damaged and be disrupted for long periods even when it should be obvious they were innocent.

In the past couple of years, telecommunications companies have been selling or renting home routers and selling the service, often providing no training to home users; sometimes contract installers have not been trained in proper security. This could be putting home users in a vulnerable position.

As with Section 230 and DMCA Safe Harbor, there are good public policy questions as to when businesses and individual users should bear some secondary liability risk as a “price” for free entry.  But increased exposure to secondary liability would obviously have huge economic ramifications for Internet-based business.  Now, it seems that some home users could face legal or practical risk for hacking or illegal misuse that they don’t have the technical skill or training to know how to prevent.   (Should home users be thoroughly trained in levels of encryption and in interpreting router internal reports of activity?) This seems like a policy issue that the current administration (and DOJ) should be addressing.  It seems as though liability for misused broadband wireless signals is a huge legal hole that the legal system doesn’t have an answer for now. 
Update: May 5

A district court judge has ruled that "an IP address is not a person" in mass litigation against BitTorrent users identified by IP address. In the case "VPR International v. Does" judge Harold Baker mentioned the practice of going after Wi-Fi router owners for wrongdoing by others who pick up their signals, resulting in dropping cases.  A person or company or party needs to be identified as having done something wrong to be a target of either criminal or civil litigation, he seems to be saying. The TorrentFreak story is here.

Also (getting back to the first topic), I've noticed that a Verizon MI-Fi Secure will time out and turn itself off if a computer using it hibernates (but not if it is turned off properly).  This may be a security feature.  Ordinary wireless routers don't seem to do this. 

No comments: