Unsecured wifi might be contributory negligence

Roland Perry lists at internetpolicyagency.com
Sat Feb 18 17:31:18 GMT 2012

In article 
<CADWvR2iGhNz0PNC-oMmT-StNWUOtFJy7ePYbOV4qCpAaW-Xc4w at mail.gmail.com>, 
Igor Mozolevsky <mozolevsky at gmail.com> writes
>> You need to think about the American legal system as privatised regulation,
>> through the lens of class action suits - or big corporates suing many
>> individuals, which is much the same ides.
>I don't follow your logic, how do you suggest that would transpose to
>English law/UK legislation?

It doesn't transfer via class actin suits, because we don't do those. 
What might happen is that (because it's also hitting mainstream now) we 
could get laws which introduce expectations on the behaviour of domestic 
Internet subscribers along the same lines as were eventually introduced 
for car drivers.

>> I thought we'd got past the issue of "whose fault if the security is weak".
>> What this is about, in the first instance, is *no* security. And that's
>> something maybe the user might reasonably be responsible for.
>Going back to your car example, the statute provides a positive
>obligation on the vehicle keeper to identify the driver at some
>specific instances. So far as the keeper is concerned, it would be
>fairly obvious (e. g. by giving your keys) that someone else was
>driving the vehicle at the time, or (by distinct absence of the
>vehicle) that someone has stolen it.

You've forgotten the situation of leaving the keys in the car. Whether 
the owner notices it's gone or not is a separate layer in the debate.

>When you've got a wifi router,
>the situation is different---someone hijacking your connection is not
>exactly going to make your router disappear, neither can you really
>rely on router's logs because forging MAC addresses is a straight
>forward exercise.

If they are hijacking your *open* router, the solution is to apply some 
kind of (any kind will do for now) security. It shows willing, if 
nothing else.

>So if you are saying that there should be a statutory/common law
>obligation to keep the router "secure", I can't see how that could be
>implemented in a meaningful way...

By making it clear that operators of open domestic wifi points are 
responsible for bad things which happen as a result.

Remembering also that the primary objective here probably isn't to make 
domestic wifi points secure from "masked men", or responsible for 
identifying those masked men, but to neutralise the excuse of the 
operator that "It wasn't me, it was a masked man wot dunnit".
Roland Perry

More information about the ukcrypto mailing list