Wireless Security and Crime Prevention
One of the interesting elements of Google’s StreetView program was that its camera crews picked up and recorded the location of wireless hotspots that were not secured. This information was not, so far as I recall, published by Google, but its collection made some news. It seems to me, however, that one hears less often about ‘war-driving’ and other forms of cruising about looking for unsecured wireless signals in order to piggyback onto the Internet with them. Is that because there are so many public wireless access spots available nowadays, or because broadband access has become so cheap that one doesn’t have to go to the trouble of looking for someone else’s hotspot, or because more people are securing their home signals?
One also hears of these borrowed signals being used for illicit purposes: online gambling, spamming, downloading copyrighted materials, accessing child pornography, etc. (I don’t say ‘stolen’ signals because it’s not clear that there is any theft involved. Consider the issue of exclusory vs non-exclusory taking of an intangible. If I use your broadband signal, I probably don’t deprive you of anything – though if I take so much that you run into your billing cap, the analysis might change. On the other hand maybe the activity is contrary to the Criminal Code’s prohibition on unauthorized access to a computer system, even if the unauthorized user does not look at the contents of the router owner’s computer.)
Would it be a step in the right direction if broadband routers were required to be sold with security enabled, rather than counting on their purchasers to take the time and trouble to set up a secured signal? Would that help prevent illicit use of the signals – and I don’t mean just the use without permission, but the use in actual unlawful communications activity such as mentioned above? Or would that be too much of a technical burden on unsophisticated buyers who would not know how to make their computers talk to their new router or vice versa?
Would that make sense as a free-standing harm-prevention measure or would it be better in a package of Internet security provisions that could require, for example, default security settings on browsers or on hardware as well? Is there other IT security that should be a matter of legal obligation?
I know that privacy law requires personal information to be kept secure, whether or not it’s in electronic form, and as a practical consequence of this duty, privacy commissioners want personal information on mobile devices to be encrypted. Is there something else?
And there’s the usual Canadian question: would such a measure or set of measures be a matter for federal or provincial jurisdiction?
In short: are unsecured wireless routers a problem, and would a ‘sell routers with security turned on’ law help resolve it?
John:
I can attest from helping some senior citizens that I know deal with computers that the LEAST bit of complication is at times, totally bewildering to some. I had to configure a router for one on Sunday and it was something that they could not figure out..they thought they HAD turned it on but all they did was set a password for the router..not a password for the WPA2 security..which was turned off. As well the hardware switch on their laptop had been flipped off somehow (poor placement right at the front near the keyboard) and they couldn’t figure out why they lost wireless. They also managed to have 7 trojans on their machine…*sigh*
For all of us that understand technology, these are just small bumps in the road.. to a senior citizen or anyone with any kind of a learning challenge, these are HUGE issues.
So I can understand why technology companies try to turn off anything that stands in the way of ‘just make it work’.
I am borrowing a line from Bruce Schneier of Counterpane Security – security should be built-in. It shouldn’t be something we need to ‘turn on’ or configure or such. It should be part of intelligent design…not an add-on.
*sheesh*
Cheers,
Dave
David J. Bilinsky BSc LLB MBA
Every since the bad old days, networks have been the weakest part of the user experience. Remember the strange modem language you had to use? Even now, I’d bet that very few people know how to talk to their router — perhaps having done it once under the patient guidance of some helpdesk (or a kind Dave Bilinsky), only to have the knowledge evaporate five minutes later. TCP/IP, DNS, 802.1X, Ethernet, WEP, WPA, proxies, WINS — these are the sounds of the industry’s failure to make usable devices that “only connect.”
Interestingly, there is also a move toward keeping one’s network open, described by Bruce Schneier, a well-known computer security expert.
I especially like the “Fon” router, which have two wireless networks: a secure one for you, and an open one for everyone else.
Now, all I need is some “Copious Spare Time” to put together an open network for passers-by and a secure one for me. As you might guess, the latter is the harder part.
–dave