Saturday, September 08, 2012

Judge correctly rules WiFi sniffing legal

A court has ruled that sniffing WiFi at hotspots is legal. Is this a good ruling? Legal expert Orin Kerr says “no”, that such sniffing is illegal. He is wrong, as I will show below.

GENERALLY ACCESSIBLE

First, we need to discuss how WiFi technically works. All WiFi devices sniff all traffic all the time. It’s just that they quickly discard the traffic that doesn’t belong to them. This means your neighbor’s WiFi passes through your iPhone. What we mean by “WiFi sniffing” means “no longer discarding it”.

The judge cites a $200 Airpcap as evidence that WiFi traffic can easily be captured, but he’s wrong, because it’s even easier. No special hardware is needed. For Windows, you might use the free “Winpcap” or “Netmon” software. For MacOSX you might use “Kismac”. For Linux, there are too many popular programs to list, but any such list would start with “tcpdump”. All are free. All use the fact that your laptop already has the WiFi traffic and all they need do is save it to disk rather than discard it.

This technical point is crucial when interpreting the statute, which says that it’s not unlawful to intercept communication that is “readily accessible to the general public”. Since nearby traffic is already going through your laptop or mobile phone or Kindle reader, and all you need is something that saves it to the disk. It’s hard to argue that this traffic isn’t “generally accessible”.


WPA ENCRYPTION

If you don’t want your traffic to be generally accessible, all you need do is turn on WPA encryption. This feature really works. If you choose a strong password, nobody can eavesdrop on your traffic, not your neighbor’s teenage kid, and not even the NSA with all their encryption-busting super-computers. All they will get is a random jumble of meaningless bits. Evildoers in countries like Iran are perfectly safe from drones flying overhead monitoring their WiFi (as long as they choose a secure password).

When you connect to an unencrypted WiFi network, such as your local Starbucks, your Windows laptop will warn you that anybody can eavesdrop. You have to confirm that yes, this is indeed what you want to do. In other words, you made the explicit choice for your traffic to be “generally accessible to the public”. Orin Kerr points to court rulings saying that eavesdropping on cordless telephones was illegal – but those are cases where consumers had no choice, and never explicitly made that decision.

At the nearest Starbucks to my house there is a bar next door. That bar also provides free WiFi, but they encrypt it with WPA. The password is just their phone number. Starbucks could easily do the same. Instead of providing an open hotspot, WiFi could just tell everyone the password is “starbucks”. It’s not terrible difficult for hackers to bypass, but it means that content is no longer “generally accessible”, and would trigger other provisions of the law banning interception of encrypted traffic.


CHILLING EFFECT

It’s not just your own device that sniffs then discards, traffic. There is a broad swath of technology that wants to eavesdrop on network traffic, but without any intent on capturing private data.

Google’s StreetView cars are one example. They eavesdropped on as much as they could in order to map WiFi “access points”, so that devices could use WiFi to locate themselves without GPS.

Another example are WiFi “intrusion detection systems” or “IDS”. These devices detect hackers trying to break into a WiFi network. By their very nature, they must eavesdrop on all the WiFi traffic near them, which includes traffic that from their neighbors that doesn’t belong to them. These systems will record suspicious activity, which sometimes means recording innocent traffic from their neighbors. Some have the ability to record the last several days worth of traffic, for investigating attacks.

None of these benign activities care if the traffic is encrypted. In fact, they’d prefer it that way. No intrusion analyst wants to analyze a suspected hacker incident only to find their neighbor is surfing porn. Google got a lot of bad publicity for over-capturing data that people could’ve just made private by turning on encryption.

Something as simply as having Starbucks encrypt their WiFi access points with the password “starbucks” would greatly help such things. It means individual packets are secure from being decrypted. They can only be decrypted if you’ve also captured the connection sequence, and can crack the password. An intrusion detection system triggering on suspicious events wouldn’t have that. Neither would a Google StreetView car driving nearby. Yes, these things might capture individual packets, but no, they would be powerless to decrypt them, even when the password is something well-known like “starbucks”. Only a hacker sitting at the hotspot for a long time capturing the connection sequence would be able to decrypt the packets.


PRECEDENT

Judges ruling on old laws applied to new technology set precedent. In effect, they create new law. They have a choice. One choice means writing new law as they do their best to fairly apply ill-fitting concepts. The other choice is to punt it back to the legislators, telling them in effect that if you want this new thing to be illegal, you need to clearly spell it out.

We see this principle in effect here. Ruled one way, the judge can make all WiFi illegal, since all devices capture traffic that doesn’t belong to them. Ruled another way, the judge allows benign activity like intrusion-detection and StreetView, but also allows hackers to eavesdrop at the local Starbucks (while still barring capture of encrypted traffic).

I prefer the second choice. I think the law is clear, and this is the better better interpretation. But even if the law were unclear, this should still be the choice, because judges should err on this side. If "hackers at Starbucks" needs to be solved, then either Starbucks should solve it themselves by turning on encryption, or legislators should pass laws explicitly barring such sniffing.


No comments: