Jump to content

Is It Legal To Use Firesheep At Starbucks?


Infiltrator
 Share

Recommended Posts

Computerworld - People using the Firesheep add-on may be breaking federal wiretapping laws, legal experts said today.

Or maybe not.

"I honestly don't know the answer," said Phil Malone, a clinical professor of law at Harvard Law School as well as the director of the school's Cyberlaw Clinic at the Berkman Center for Internet and Society. Malone also served for more than 20 years as a federal prosecutor with the U.S. Department of Justice.

Firesheep, which was released just over a week ago and has been downloaded nearly half a million times since, is an add-on to Mozilla's Firefox browser that identifies users on an open network -- such as a coffee shop's public Wi-Fi hot spot -- who are visiting an unsecured Web site. A double-click in Firesheep gives its handler instant access to the accounts of others accessing Twitter and Facebook, among numerous other popular Web destinations.

But while the tool itself is not illegal, using it may be a violation of federal wiretapping laws and an invasion of privacy, experts said.

"There are two schools of thought," said Jonathan Gordon, a partner in the Los Angeles office of law firm Aston & Bird. "The first is that there's no reasonable expectation of privacy in a public insecure Wi-Fi connection."

Gordon, who regularly counsels clients on their Internet business practices, cited the U.S. statute pertaining to wiretapping, which states that it's not a violation of the law "to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public."

But a second school of thought, said Gordon, "is that when people are accessing their social network [account], they have an expectation that whatever they're doing is governed by the privacy settings in that network." In other words, the fact that accessing a site takes place in an unsecure environment is beside the point.

Gordon acknowledged that the second position was held by a minority of legal experts.

Scott Christie, a partner in the Newark, N.J., office of law firm of McCarter & English, is in that minority, and he said that using tools such as Firesheep -- dubbed "packet-sniffers" -- is illegal.

"Do people have a reasonable expectation of privacy when they're at a public node? The answer is probably yes," said Christie. "They don't forfeit their expectation of privacy simply by using a public Wi-Fi spot. And wiretap laws in general make it illegal to intercept real-time communications and content."

But privacy laws were not crafted to cover scenarios where the owner of the data -- in the Firesheep example, people accessing their Facebook accounts at an unsecured hot spot -- didn't take steps to protect their information.

That's one of the reasons why the legality of Firesheep, and other tools like it, remains up in the air.

"It's an unsettled legal issue, but it will be tested at some point," Christie said. "Like many other situations, this is one of those areas where the law was crafted prior to the Internet age, and the courts will have to catch up."

Gordon agreed. "It may be difficult [to clarify this], but it will happen," he said.

Another law may also apply to Firesheep use, said Malone. That law, the Pen Register and Trap and Trace Devices Act (sometimes shortened to the Pen/Trap Act), was crafted with telephone line wiretapping in mind, but it could be called on by prosecutors, Malone said.

A packet-sniffer that snatches important information, such as the IP address or other sending and receiving information, including addressing or routing data, is one case where the Pen/Trap Act might be applied.

"If something like Firesheep grabbed some pretty bad stuff, technically it may have violated [the Pen/Trap Act]," said Malone, adding that an aggressive prosecutor might decide to file charges based on that law.

Christie wasn't so sure. "If a tool like Firesheep captured IP addresses, the criminal component of it might apply, but I'm not sure anyone would use it."

The legal experts also noted similarities between the Firesheep situation and Google's trouble with U.S. and foreign regulators over its Street View vehicles. Earlier this year, Google admitted that those vehicles had grabbed information from unsecured wireless networks as they snapped photos and mapped hot spots.

Two weeks ago, Google admitted that in some cases the Street View sniffers had captured complete e-mail messages and user passwords.

Google claimed that the data collection had been unintentional, and it argued that the practice did not violate federal laws because the wireless networks were not password-protected. However, that didn't stop several state attorneys general from asking Google for more information as they tried to decide whether the company broke federal or state laws, including wiretapping and privacy statutes.

Last week, the Federal Trade Commission closed an investigation into Google's Street View activities. However, the company faces numerous class-action lawsuits in the U.S. over the practice and may be fined by some European privacy agencies.

Malone said he suspected that before the law catches up to Firesheep and its ilk, Web sites will lock down their services, making the issue moot. That's also the hope of Eric Butler, the Seattle-based Web application developer who said he released Firesheep to raise awareness of the lack of Web site security.

"Maybe all the bad press [over Firesheep] will make people realize that there's a problem, and enough to shame sites into changing," Malone said. "Maybe this is the wake-up call we needed."

Source: http://www.computerworld.com/s/article/919...p_at_Starbucks_

Link to comment
Share on other sites

"I honestly don't know the answer," said Phil Malone, a clinical professor of law at Harvard Law School as well as the director of the school's Cyberlaw Clinic at the Berkman Center for Internet and Society. Malone also served for more than 20 years as a federal prosecutor with the U.S. Department of Justice.

LMAO! wow...if i ever get arrested for anything i hope that guy is my prosecutor. how can he say something like that on record. :lol:

Link to comment
Share on other sites

LMAO! wow...if i ever get arrested for anything i hope that guy is my prosecutor. how can he say something like that on record. :lol:

That's what really cracked me up, when I read that line. Come one its so obvious that accessing someone's else account without their consent is illegal.

Anything that you access without proper authorization from its owner its illegal. I don't know what that guy was thinking.

Link to comment
Share on other sites

That's what really cracked me up, when I read that line. Come one its so obvious that accessing someone's else account without their consent is illegal.

Anything that you access without proper authorization from its owner its illegal. I don't know what that guy was thinking.

i know an hes " a clinical professor of law at Harvard Law School as well as the director of the school's Cyberlaw Clinic at the Berkman Center for Internet and Society" come on....seriously? wtf. lmao. that guy just ruined he's street cred. lol

Link to comment
Share on other sites

i know an hes " a clinical professor of law at Harvard Law School as well as the director of the school's Cyberlaw Clinic at the Berkman Center for Internet and Society" come on....seriously? wtf. lmao. that guy just ruined he's street cred. lol

The tool has been created to bring awareness of what it can do. However there are people who might use it for the wrong purpose, I now understand why that Professor said it wasn't illegal.

Link to comment
Share on other sites

The tool has been created to bring awareness of what it can do. However there are people who might use it for the wrong purpose, I now understand why that Professor said it wasn't illegal.

Correct, the tool itself isn't really illegal. It's the use of said tool that is legal/illegal. Same can be said for most things.

Link to comment
Share on other sites

  • 3 weeks later...

Sorry for the late bump of this story (I obviously don't check these forums much), but I felt compelled to add my two cents last week (when the servers were down), so I saved my response below - would love to hear the thoughts of some of the posters here:

I'll try not to troll here, but a few things are apparent from the comments. First, judging by the "duh, it's illegal" comments, very few of you actually RTFA. In addition, the Berkman Center is one of the foremost thought leaders when it comes to the intersection of law and technology. Seriously - check out their site - I guarantee you'll come across a more than a few interesting ideas that are worth your time to explore. So maybe I'm the one being trolled, but someone has to defend what this guy says, especially on a good forum with so many bright people.

Anyway, the legal-status question that this professor was answering was more along the lines of "do you have a reasonable expectation of privacy at an unsecured wifi hotspot"? As people on this board who have (hopefully) known about the ease of cookie-swiping from unsecured wifi before a Firefox extension made it easy, I think many of us would say that there is NOT an expectation of privacy at an unsecured wifi hotspot, giving some greater legal standing to someone who may be busted using this tool.

So that's the "wifi is not secured" argument. The other argument is that you DO have an expectation of privacy when you log into a service (like facebook) with private credentials. So is it up to your wireless access point to provide security? If so, then is firesheep "illegal" because is it circumventing security measures? Or is the burden on the service provider (like facebook or your email provider) to provide a secure connection (like SSL), rendering tools like Firesheep worthless?

Lastly, you all do hopefully realize that if use of a tool like Firesheep is deemed "illegal", then what really separates this tool from any packet-sniffer or traffic analyzer? At what point do certain tools "cross the line" and their use is deemed unlawful?

Sorry if I come across as a bit snippy, but questions like these really do have an impact on all of us in the long run. The better we understand how our tools are viewed within the framework of the justice system, the better we can defend our right to use them.

Link to comment
Share on other sites

If the question has to be asked if it is legal or not, then chances are that it is not legal.

Not always. There are some grey areas in some aspects that need asking. I'm in England, use to own a blank firing Beretta. Before I brought it I had to ask if it was legal to own. Was a grey area. But was fine as long as it couldn't be converted. Now, however, the law has changed but I managed to sell it before that happened. Last time I checked you had to be a member of a re-enactment group now to be allowed to own one. Annoying cause I wanted a Glock.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...