HomeBlogscharlie.collins's blog

What exactly is the "crime" in using open WiFi?

Wed, 05/23/2007 - 13:05 — charlie.collins

So, Ars is running this story about a man arrested in Michigan for using a cafe's free WiFi from his car.

There are several egregiously shitty aspects to this case: first the cafe owner apparently did not make any complaint - rather a police officer just "noticed" it, second the law is ambiguous as hell at best, and third guy faces a 400 fine because they are going to let him off easy (the prosecutors "don't believe" he was aware he was breaking the law).

These things crop up from time to time, but in this particular instance I still don't see what the crime was, based on the statue linked. There are many angles here, but I would not accept the 400 fine, and would take this crap to court.

The statue says " A person shall not intentionally and without authorization or by exceeding valid authorization do any of the following: (a) Access or cause access to be made to a computer program, computer, computer system, or computer network to acquire, alter, damage, delete, or destroy property or otherwise use the service of a computer program, computer, computer system, or computer network. "

They are after this guy because he was not a customer, he was not "authorized", and the network was "reserved for customers." Reserved how? When he drives up THEIR server sends out a broadcast and says HERE I AM, USE ME. Their machine made the first "unauthorized" access, not his. The network stack on the machine that is catching broadcasts is a "program" after all, and the router that broadcast is at that point "otherwise using" the receiving computer. Those terms are so nebulous that they are worthless of course, but by the current statute would put the fault with the open WiFi network itself, as I read it.

That said, you could also go after the "without authorization" part of the statute. If there is no authorization, back to the photons from a window analogy, then exactly how was the violator "without." A sign in the cafe that says "reserved for customers" or something is not sufficient, the signal travels far beyond that type of measure and cannot reasonably be expected to be a type of authorization control.

Now if someone uses a user/password to get past a simple login screen, and it's not their user/pass, that is without auth. Just turning on your computer, and accessing a wide open network that has no controls, is not violating any authorization (again, there is nothing to violate).

The law and the fact that anyone is prosecuting it at all, be it letting someone off lightly or not, is stupid.