Re: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act?

[Matthew Murphy <mattmurphy () kc rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Apr 28, 2007, at 12:33 PM, Richard M. Smith wrote:

> The Starbucks case is one for the lawyers to sort out if private WiFi
> network is readily accessible to the general public or not.

It's not a "private" WiFi network, Richard; it's unencrypted with  
SSID broadcast on and accessible to anyone within the vicinity of a  
Starbucks -- note, not necessarily inside.  Unencrypted = public, in  
most cases, and surveillance is certainly one of them.  If you want  
an affirmative claim to support prosecution of an ECPA/Section 632  
violation, you have to encrypt the network's traffic.  Even WEP has  
value, in the eyes of the law, because it shows a network provider  
who took an affirmative action to demonstrate to would-be users an  
expectation that the privacy of the network is to be respected.

> My assumption
> is no.  One data point here is intercepting insecure cordless phone
> conversations is illegal under ECPA even though older cordless  
> phones can be
> heard with a $100 Radio Shack scanner.

Yes, because cordless phone conversations are explicitly considered  
"confidential communications" under both ECPA and the relevant  
California penal code.  However, the criteria of ECPA for what is  
considered public among other, non-excepted communications is pretty  
solid:

1. Encrypted
Not true in the case of Starbucks -- open authentication with no data  
encryption

2. Transmitted using non-public modulation techniques
Given that 802.11b/g are spec'ed out in IEEE standards documents, I  
don't see this holding up.  Furthermore, Starbucks' network  
broadcasts its SSID.

3. Carried on a subsidiary carrier
802.11 as implemented by Starbucks is inherently point-to-point, up  
until it reaches the AP and hits a wired line.

4. Transmitted over a common carrier network
Internet providers are not CCs, as the net neutrality debate  
illustrates plainly

5. Transmitted over certain regulated frequency classes
It's well-known that the frequency range for 802.11 is not regulated  
and can be used for any functional purpose.

802.11 with SSID broadcast and no encryption is NOT confidential  
under ECPA, period.  The network is clearly "readily accessible to  
the general public", both in letter and in spirit of the law.

California penal code also doesn't apply, because it requires a  
reasonable expectation of confidentiality, except in certain classes  
of communications like cordless phones.  When users connect to an  
open WiFi LAN, they typically must affirm at least once that their  
communications are subject to interception if not encrypted.  Thus,  
no reasonable expectation of privacy/confidentiality could be  
established for the purposes of Section 632, either, unless perhaps  
the transmitter was an illiterate -- good luck explaining *that* to a  
judge.

> > > > You don't really think the paper would've published this story  
> > > > if it
> > > > would've subjected an individual identified within to criminal
> prosecution, do you?
>
> Absolutely.  Back around 2003, the Washington Post did an article  
> on how
> easy was for two computer security people to break into Windows  
> computers
> owned by the Federal government.  These computers had open shares  
> which were
> easily detectable from the outside.  A week later the two  
> consultants were
> busted by the FBI.  Not sure what the result of the arrests were.

Seems like another case of the administration pursuing a hopeless  
criminal case (e.g., terrorism charges against cell-phone  
unlockers).  Unless the consultants were informed via warning banners  
or some other means that the resources they were accessing were for  
government use only, they have neither achieved unauthorized access  
nor exceeded their authorization.  I was unable to find any  
information suggesting that the consultant who was charged was ever  
convicted.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQIVAwUBRjOstXXzqEAiV8M/AQLdmQ//eZwQx5kau9c5vXy5ZFc/nQlfv5mszxde
MHgb8OJZUfMZHEJ8sVBS8lI+1zBV5tmjO42xYaibDs6GThmv2AScVTvsialUJUbl
0YnXyvkj1wo3Cwoyld11015Vhkh6xlNqGtYjflweHq96Ee9NK5wa9BtOLU4QYuW0
yGRVEmKnwLJFjJvbaNb1TjV+rpAyhnft+7zPB7PgN8V5k0LwZji/Das7bzrXwBQK
LJh1C86jUkgU38TTNtaH5RCgTZEemv92xGGL7jbIbmOO+Xyyv/LOGmfCBhz/oDiB
dXZ3/bcn1vkPkVQZ4kqoF3dxZC/I1aLut09G2CyuUKUUDtH+LkiFcAYazWa3/U0i
6M9dxTT1pxcPZ8G4DuFrdObfbZTtXDxXZynZsFt7Ha0AtnDiqip803vzbz3WH87v
ufRCZOM2AspdRaIzRFiw/F3S9RIsOtAOczvnNh+/Rchc3JZwHIe82Da2Z8zU3BBA
8H9SXEEI9/MCMCQv/y6Smb73aWn3mml2KmVRkMcPIqngCziGUvEp8/hivPGb7O0k
mojT4u3eOx2Dox3qQnP6oxJeYEYQLeywUqxTRFsGPYHr6J8vL8sWpeBMDEK49KqJ
ISW5chxhFCtPtDXMIzncYzwC1xQLahYASS5zTbMzsQrKv6rOzreLtKoXfb6PW/HY
Ds0Vxg/Vvfk=
=4DQJ
-----END PGP SIGNATURE-----
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.