Saturday, December 08, 2007

Criminal liability for unsecured wireless networks?

I just received this email (from a source that will remain anonymous):

Good afternoon,

I have a wireless router (WiFi) which for technical reasons I won’t bore you with, has no encryption. If a third party were to access the internet via my unencrypted router and then commit an illegal act, could I be held liable? I’m not sure if this question in anyway broaches your area of expertise and if not please excuse the intrusion. I’ve asked some technical colleagues but they were not able to answer.

It’s a very good question. I’ve actually argued in several law review articles that people who do not secure their systems, wireless or otherwise, should be held liable – to some extent – when criminals use the networks they’ve left open to victimize others.

In those articles, as in nearly everything I do, I was analyzing the permissibility of using criminal liability to encourage people to secure their computer systems . . . which I think is the best way to respond to cybercrime. Since I’m not sure if the person who sent me this email is asking about criminal liability, about civil liability or about both, I’ll talk about the potential for both, but focus primarily on criminal liability.

There are essentially two ways in which one person (John Doe) can be held liable for crimes committed solely by another person – Jane Smith, we’ll say (with my apologies to any and all Jane Smiths who read this). One is that there is a specific provision of the law – a statute or ordinance or other legal rule – which holds someone in Doe’s position (operating an unsecured wireless network, say) liable for crimes Smith commits.

I’m not aware of any laws that currently hold people who run unsecured wireless networks liable for crimes the commission of which involves exploiting the insecurity of those networks. I seem to recall reading an article a while back about a town that had adopted an ordinance banning the operation of unsecured wireless networks, but I can’t find the article now. If such an ordinance, or such a law, existed, it would in effect create a free-standing criminal offense. That is, it would make it a crime (presumably a small crime, a misdemeanor, say) to operate an unsecured network.

That type of law goes to imposing liability on the person who violated it, which, in our hypothetical, would be John Doe, who left his wireless network unsecured. That approach, of course, simply holds Doe liable for what Doe, himself, did (or did not do). It doesn’t hold him criminally liable for what someone else was able to do because he did not secure his wireless network. And unless that law explicitly creates a civil cause of action for people who were victimized by cybercriminals (our hypothetical Jane Smith). Some statutes, like the federal RICO statute, do create a civil cause of action for people who’ve been victimized by a crime (racketeering, under the RICO provision) but absent some specific provision to the contrary, statutes like this only let a person who’s been victimized sue the individual(s) who actually victimized them (Jane Smith).

As I wrote in an earlier post, there are essentially two ways one person (John Doe) can be held liable for the crimes another person (Jane Smith) commits: one is accomplice liability and the other is a type of co-conspirator liability. While these principles are used primarily to impose criminal liability, they could probably (note the qualifier) be used to impose civil liability under provisions like the RICO statute that let victims sue to recover damages from their victimizers.

So let’s consider whether John Doe could be held liable under either of those principles. Accomplice liability, it applies to those who “aid and abet” the commission of a crime. So, if I know my next-door neighbor is going to rob the bank where I work and I give him the combination to the bank vault, intending to assist his commission of the robbery, I can be held liable as an accomplice.

The requirements for such liability are, basically, that I (i) did something to assist in or encourage the commission of the crime and (ii) I did that with the purpose of promoting or encouraging the commission of a crime. In my example above, I hypothetically provide the aspiring robber with the key to the bank vault for the express purpose of helping him rob the bank. The law says that when I do this, I become criminally liable for the crime – here, the robbery – he actually commits. And the neat thing about accomplice liability, as far as prosecutors are concerned, is that I in effect step into the shoes of the robber. That is, I can be held criminally liable for aiding the commission of the crime someone else committed in the same way as, and to the same extent as, the one who actually committed it. In this hypothetical, my conduct establishes my liability as an accomplice to the bank robbery, so I can be convicted of bank robbery.

I don’t see how accomplice liability could be used to hold John Doe criminally liable for cybercrimes Jane Smith commits by exploiting his unsecured wireless network. Yes, he did in effect assist – aid and abet – the commission of those cybercrimes by leaving his network unsecured. I am assuming, though, that he did not leave it unsecured in order to assist the commission of those crimes – that, in other words, it was not his purpose to aid and abet them. Courts generally require that one charged as an accomplice have acted with the purpose of promoting the commission of the target crimes (the ones Jane Smith hypothetically commits), though a few have said you can be an accomplice if you knowingly aid and abet a crime.

If we took that approach here, John Doe could be held liable for aiding and abetting Jane Smith’s cybercrimes if he knew she was using his unsecured wireless network and did nothing to prevent that. It would not be enough, for the purpose of imposing accomplice liability, if he knew it was possible someone could use his network to commit cybercrimes; he’d have to know that Jane Doe was using it or was about to use it for that specific purpose. I don’t see that standard’s applying to our hypothetical John Doe – he was, at most, reckless in leaving the network unsecured, maybe just negligent in doing so. (As I’ve written before, recklessness means you consciously disregard a known risk that cybercriminals will exploit your unsecured network to commit crimes, while negligence means that an average, reasonable person would have known this was a possibility and would have secured the network).

The other possibility is, as I wrote in that earlier post, what is called Pinkerton liability (because it was first used in a prosecution against a man named Pinkerton). To hold someone liable under this principle, the prosecution must show that they (John Doe) entered into a conspiracy with another person (Jane Smith) the purpose of which was the commission of crimes (cybercrimes, here). The rationale for Pinkerton liability is that a criminal conspiracy is a type of contract, and all those who enter into the contract become liable for crimes their fellow co-conspirators commit.

Mr. Pinkerton (Daniel, I believe) was convicted of bootlegging crimes his brother (Walter, I think) committed while Daniel was in jail. The government’s theory was that the brothers had entered into a conspiracy to bootleg before Daniel went to jail, the conspiracy continued while he was in jail, so he was liable for the bootlegging crimes Walter committed. I don’t see how this could apply to our John Doe-Jane Smith hypothetical because there’s absolutely no evidence that Doe entered into a criminal conspiracy with Smith. He presumably doesn’t even know she exists and/or doesn’t know anything about her plans to commit cybercrimes by making use of his conveniently unsecured network.

In my earlier post, which was about a civil lawsuit, I talked about how these principles could, or could not, be used to hold someone civilly liable for crimes. I’ll refer you to that post if you’re interested in that topic.

Bottom line? I suspect (and this is just speculation, not legal advice) that it would be very difficult, if not impossible, to hold someone who left their wireless network unsecured criminally liable if an unknown cybercriminal used the vulnerable network to commit crimes.


Bryan said...


I have no doubt that your legal analysis is correct on this issue. I would just like to add that as a practical matter, my experience suggests that police will try to charge the easiest target, not necessarily the actual criminal.

I operated a secure server, for business purposes, that wound up associated with a fraudulent credit card purchase and I was jailed for the crime. Charges were eventually withdrawn but the damage was done. Now for the rest of my life I have to report a felony accusation to state bar associations and employers.

My points are thus:
1) Insecure or secure computers can both be used by unauthorized individuals for criminal activity.
2) Cybercrime ranges from misdemeanors to first degree felonies.
3) Innocent mens rea is not sufficient to protect one from criminal accusations, prosecution, jail, bankruptcy and a lifetime of discrimination.

I would be very cautious to broaden criminal liability for simply existing on the internet or even for allowing others to access the internet.


Susan Brenner said...

Thanks a lot for those very insightful comments, Bryan.

I'm sorry to hear what happened to you. As I said in the post, I don't really see how you could be liable for what happened (absent some local statute or ordinance) . . . but sometimes it takes prosecutors a bit to figure that out (or vice versa).

My articles on imposing a kind of criminal liability (very low, for what's called facilitating a crime) is merely part of a large argument I make about the need to prevent cybercrime . . . since I don't think (as I explain in detail there) we can solely rely on the current approach of having law enforcement respond to cybercrimes (too many crimes, international issues, conflicting laws, etc.).

My argument is more along the lines of the approach taken by an Ohio college . . . which fines its students $25 if their computers acquire a virus which they then spread to others.

Anyway, thanks a lot.

-dsr- said...

There is a relevant technical aspect which has not been mentioned: of the commercially available, interoperable systems purported to prevent unauthorized wireless network access, none of them are effective against a minimally competent attacker.

The available systems on home wireless routers are called WEP, WPA, and WPA2. All of them can be cracked by software trivially available on the Net -- just Google for "wpa2 crack", for example. Maintaining a level of security past what is available from the router manufacturer is not a reasonable expectation. All the security schemes can do is make it more difficult for an average user to add access for an authorized system.

Criminal liability for making network access generally available also works against community networking efforts, which are frequently the most cost effective way to provide network access to the poor.

Susan Brenner said...

Thanks for the insights.

In the law review articles I mentioned, I argue for imposing a very small level of criminal liability simply to provide an additional incentive to do SOMEthing to secure their systems. As you say, no wireless security programs and, for that matter, no locks or burglar bars or alarm systems are foolproof.

My point, in those articles I keep mentioning, is that, IMHO, we need to do something to help people realize that they really do need to make some effort to secure their systems.

So, if we were to adopt some kind of minimal criminal liability for not doing so (something analogous to not wearing a seatbelt, say), the real goal would be to effect a change in culture . . . so that making a reasonable effort to secure one's system, of whatever type, becomes as routine as wearing a seatbelt.

(And yes, I know the analogy, which isn't mine, is far from perfect . . . as I note in the articles, it's much, much easier to use a preinstalled seatbelt than it is to use quickly outdated software to keep a system secure, plus it's a lot easier to catch seatbelt violators because their violations occur in public.)

-dsr- said...

Seatbelt laws provide a small negative incentive (typically a $25 to $100 fine) to persuade people to make a minimal investment in an action which can provide significant benefit to themselves. I would be happy to see a law which did the same for computer security. Unfortunately, I do not believe that such a law is workable. We can reasonably mandate seatbelt installation by automobile manufacturers, test for functionality by safety engineers, and use by drivers and passengers. It is not reasonable to require, say, "installation and operation of an effective security system" because the terms are undefined and rapidly outdated. Enacting a law that makes innocent people into criminals when circumstances beyond their control change is a poor idea.