If you have the tools and know what you're doing it's easy to spy on people on an open Wi-Fi network.
Recently, the U.S. Federal Communications Commission (FCC) proposed a $25,000 fine against Google for "deliberately impeded and delayed" an ongoing investigation into whether it breached federal laws over its street-mapping service that peeked in on open, unencrypted, Wi-Fi access points (AP). Read that again, Google wasn't fined for collecting and storing data from unencrypted wireless networks. They were fined a slap on the wrist amount for not answering the FCC questions as quickly and as thoroughly as the FCC would have liked. The actual snooping in on people Wi-Fi AP and communications--that's OK.
Google argued that "the Wiretap Act permits the interception of unencrypted Wi-Fi communications. The FCC agreed. To quote from the FCC's Notice of Apparent Liability for the Google case, "It shall not be unlawful under this chapter or chapter 121 of this title for any person ... to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." In short, if your Wi-Fi isn't configured to be secure by the use of WPA (Wi-Fi Protected Access), WPA2 (Wi-Fi Protected Access 2) or even the long broken Wired Equivalency Privacy (WEP), then by the FCC's rules it's not illegal to listen in on it.
As the FCC warns you in its FCC Consumer Tip Sheet: Wi-Fi Networks and Consumer Privacy, "consumers are at risk when they transmit sensitive information - such as credit card numbers and passwords - over public Wi-Fi networks." Now, if someone grabs that information and uses it for illegal purposes-say they buy themselves an iPad 3 with your credit card number--that's another story. But, simply grabbing your data as you transmit it in the clear over your local coffee shop's network, the FCC doesn't have a problem with that.
It's also trivial to do. The Firefox-based ethical hacking program, Firesheep showed that anyone can grab your data from an open network. Anyone who knows the first thing about network administration can use network protocol analyzers like WireShark to track your ever move on an unsecured network.
As Jason Glassberg, co-founder of Casaba, a cyber-security firm based in Seattle observed, while "the questions of legality are beyond our purview, however I do believe there needs to be a distinction between collecting unencrypted data and using that data for malicious purposes. I can drive around all day collecting information from unencrypted networks, but as soon as I use any of that data, even if it's to join that network as an unauthorized user, I have a crossed a line."
Dr. John Michener, Casaba's chief scientist adds that, "If you make an analogy to shortwave radio and radio HAMs you would expect that unencrypted radio communications are expected to be intercepted. This is clearly not the use context of Wi-Fi. Until recently, people tended to use unprotected Wi-Fi, which allows easy interception. If viewed this way, the user doesn't care--because if the user cared, they would have set either WEP (essentially broken) or WPA protection." And, that is how the FCC sees it, but is that all there is to it?
Richard Santalesa, an attorney with the Information Law Group states that "it's a violation of many state laws to tap into another's Internet access (outside of say McDonald's, Starbucks, the library etc which expressly provided the service for same) under various theft of service laws."
- Whoever willfully, knowingly, and without authorization:?(1)
- (a) Accesses or causes to be accessed any computer, computer system, or? computer network; ... commits an offense against computer users.
- Except as provided in paragraphs (b) and (c), whoever violates subsection (1) commits a felony of the third degree."?(2)(a)
Andrew Jacobson, founder of the Bay Oak Law firm, believes that unauthorized listening of unencrypted Wi-Fi might break a national law as well. Under 18 USC 1030, Fraud and related activity in connection with computers, "Accessing someone else's Wi-Fi is arguably a criminal offense, because you are accessing computers (in this case, the Internet) without the authority of the Wi-Fi's owner. Interestingly, it would probably not be a civil offense under the same law, because that requires more than $5000 in damages in one year."
So is the FCC wrong? Maybe. Maybe not. Other experts think "Ultimately, the FCC controls how radio transmissions are used and it's that agency's rules that apply. In general, the FCC preempts any state regulations involving the radio spectrum."
We can argue for ages though about whose rules apply, whether it's illegal or not to eavesdrop, on someone's unprotected Wi-Fi. Here's the simple real-world truth, says Seth David Schoen, the Electronic Frontier Foundation's (EFF) Senior Staff Technologist, "it's easy to intercept data from open Wi-Fi networks and users should be using encryption whenever they use the Internet. Not everyone with a van is going to get caught."
Exactly. If you're going to use open Wi-Fi networks you should use Virtual Private Networks (VPN)s or the EFF's HTTPS Everywhere to help secure your Web site connections. If you don't, well, be ready to have your information tapped by any Tom, Dick, or Harry. And, depending on the circumstances, be prepared to deal with them being able to get away with it in a court of law as well.