One of the interesting elements of Google’s StreetView program was that its camera crews picked up and recorded the location of wireless hotspots that were not secured. This information was not, so far as I recall, published by Google, but its collection made some news. It seems to me, however, that one hears less often about ‘war-driving’ and other forms of cruising about looking for unsecured wireless signals in order to piggyback onto the Internet with them. Is that because there are so many public wireless access spots available nowadays, or because broadband access has become so cheap that one doesn’t have to go to the trouble of looking for someone else’s hotspot, or because more people are securing their home signals?
One also hears of these borrowed signals being used for illicit purposes: online gambling, spamming, downloading copyrighted materials, accessing child pornography, etc. (I don’t say ‘stolen’ signals because it’s not clear that there is any theft involved. Consider the issue of exclusory vs non-exclusory taking of an intangible. If I use your broadband signal, I probably don’t deprive you of anything – though if I take so much that you run into your billing cap, the analysis might change. On the other hand maybe the activity is contrary to the Criminal Code’s prohibition on unauthorized access to a computer system, even if the unauthorized user does not look at the contents of the router owner’s computer.)
Would it be a step in the right direction if broadband routers were required to be sold with security enabled, rather than counting on their purchasers to take the time and trouble to set up a secured signal? Would that help prevent illicit use of the signals – and I don’t mean just the use without permission, but the use in actual unlawful communications activity such as mentioned above? Or would that be too much of a technical burden on unsophisticated buyers who would not know how to make their computers talk to their new router or vice versa?
Would that make sense as a free-standing harm-prevention measure or would it be better in a package of Internet security provisions that could require, for example, default security settings on browsers or on hardware as well? Is there other IT security that should be a matter of legal obligation?
I know that privacy law requires personal information to be kept secure, whether or not it’s in electronic form, and as a practical consequence of this duty, privacy commissioners want personal information on mobile devices to be encrypted. Is there something else?
And there’s the usual Canadian question: would such a measure or set of measures be a matter for federal or provincial jurisdiction?
In short: are unsecured wireless routers a problem, and would a ‘sell routers with security turned on’ law help resolve it?