Interpreting packet sniffing with Kismet/Wireshark programs and their legality under U.S Title III "pen-trap statue" law


Introduction


Note: Because there are MANY different scenario's that involve packet sniffing and because they need to be evaluated on a case by case basis in various countries, I highly RECOMMEND you seek legal counsel specializing in Intellectual Property law or "I.T" law in THOSE respective countries if you need to better understand the legality of such issues OUTSIDE of the U.S. If you ARE legal counsel in the U.S and want me to make technical corrections or add more case scenario's for U.S readers, DO NOT hesitate to contact me. I understand U.S law is not static and open to interpretation. Thank You!

In this week entry, I will be analyzing the varying degree of circumstances, in which packet sniffing with Kismet/Wireshark computer programs maybe consider "legal" and "illegal", given two real life, real world scenario's. I noticed that this question comes up quite frequently between "hackers" and law/policy analysts. This was the case at "Defcon" this past year, where individuals with both titles were looking for more efficient legal ways of securing mobile and wired networks and how lengthy legal battles could "potentially" be avoided.

The Google Wi-Fi packet sniffing case from 2011



The question that was posed in a similar case, back in 2011 [1], was whether or not Google was within their right to sniff out unencrypted 802.11 traffic off of Wi-fi networks with Kismet using Street View, even if they were collecting data "unintentionally"? the answer in the first scenario is not so simple!. I am going to look at both sides of the argument and then attempt to have you the reader draw your own conclusions, about packet sniffing and whether or not it's legal to sniff out traffic that's not unencrypted either "intentionally" or "accidentally" over a network. In order to be brutally honest most users should know that "black hat hacking" meaning, unless you are a "pen-tester" is considered illegal in the U.S, you can be prosecuted under Computer Fraud and Abuse Act [2]. It's that simple.

First real life example



A real life example rather then a fictional scenario that usually comes up would be "wardriving", which is accessing your neighbors wi-fi networks with the intent of intentionally trying to break into them. Looking at in one perspective, technically it's fair game if they have an open network that was not encrypted using a pre-shared key over WPA or WPA2 with Rijndael using (AES-128) and you should be able to use their network freely, it would be their own fault IF they failed to secure their own network. Most courts are split over whether or not you have the right and ability to access data on unencrypted wireless networks or whether or not it's considered a form of "wiretapping" under U.S federal Title III "pen-trap statue" law, known as the Federal Wiretap Act. A majority of them most of the time will say that Wi-fi "hacking" on the other hand is federal offense though and you can do time under Computer Fraud and Abuse Act [2], if you were accessing the network with malicious intent. It was my personal believe that with the Google case Google should have not be liable for data collected on unencrypted Wi-Fi networks, IF most users failed to properly secure their own networks and the case could have been dismissed, regardless of the intent under U.S law. European law on the other hand is ENTIRELY different and European data privacy laws, are much STRICTER then they are in U.S. There is the possibility that Google could continue to be fined from the fallout from this case for years to come! Google (even as of 2019) was fined from fallout from Street View in both U.S and Europe for "unintentionally" collecting traffic off wireless networks several years ago.

Second real life example



Another real life example, would be if a company was monitoring traffic over their own LAN sniffing out unencrypted data with Wireshark? would this be considered "legal"? It would be considered "legal" if within their privacy policy, under which everyone in the workplace was forced to sign stating that the network was subject to random audits and that any objectionable material was subject to warnings or termination, if the network logs turned up "objectionable" or "questionable" material. On the flipside, it would be considered a violation of the workers fourth amendment rights (an "illegal search and seizure") and would more then likely be considered "wiretapping", if the company failed to properly say that within their privacy policy, that the network was subject to random audits all of sudden and that they would be logged indefinitely using vague written language in the existing policy. A computer use policy legally always has a higher value and can "quash" or limit any users fourth amendment right in context and is the case in most legal scenario's that frequently come up in the U.S with respect to work place privacy in the private sector (a 'fourth amendment' legal article search on Google Scholar or the LexisNexis, will turn up several cases where this has happened in the past). Akin to that, O'Connor vs. Ortega (1987) dictates workplace privacy in the public sector.

Conclusion



The answer is simple, in my opinion. Most network traffic should be encrypted in order to protect the end users privacy and to ensure the administrator is not abusing their power to monitor the network properly. Period! this would solve many cases and leave everyone in good legal standing. What are your thoughts? In what scenario does or does this not work? Leave me comments or questions if you would like to see more scenarios, where this does and does not work. Have a nice weekend and take care! ;-D.


References:


1.Ars Technica. "Judge to Google: Even open wi-fi networks maybe wiretapping" http://www.arstechnica.com/tech-policy/2011/06/judge-tells-google-sniffing-even-open-wifi-networks-may-be-wiretapping.ars accessed 09 Nov 2012. 2011
2. Panix. "The Computer Fraud and Abuse Act (18 USC 1030)" http://www.panix.com/~eck./computer-fraud-act.html accessed 09 Nov 2012. 1998

Comments

Post a Comment

Popular posts from this blog

Encoding Opus files in Linux with opusenc for your own collection and HTML 5

Introduction Hello everyone! I am finally back to writing a new blog entry, after taking a very long month off. I hope all of my U.S readers had a great Fourth of July and are enjoying the summer. Today, I am going to be discussing and showing you how to encode with the the new IETF working audio codec called "Opus". Briefly, Opus is a combination of Xiph.org "CELT" codec and Skype's "SILK" codec combined into one project. It's a low-latency audio codec that was designed with "scalability" in mind and does things "fundamentally" different, even though it should sound the same if not better in different situations for speech and music. The project was finally completed this past winter and standardized and will be used in the new WebRTC project (for video conferencing), Skype (for video calls), and other companies that wish to use it. Google is NOW (as of July 2013) incorporating it, into the next generation codebase of WebM, wh
Read more

Encoding Vorbis files in Linux using oggenc for your own music collection and HTML 5

Introduction In today's topic, I will be showing readers different ways you can encode your music collection, if you just moved over to Linux from Windows using open source codecs! You do not have to encode your music files with Vorbis, due to the fact that MP3 is also supported in Linux and HTML 5, but there are some substantial benefits to doing in this day and age (at least from the perspective of an open-source nerd 8-)). The first is you don't have to worry about royalty's and licensing rates (especially if you are opening up a store for indie musicians). The second is that both objectively and subjectively Vorbis sounds substantially better and has been greatly improved with the help of dedicated "audiophiles" and the open source community, since it's first public release over a decade ago, way back in 2002. Today, I will show you some tips and tricks if you are new to encoding your music collection in Linux using the oggenc command-line program in Li
Read more

Transcoding H.264 files to Google's WebM format (VP8/Vorbis) in FFMPEG 0.6 or better using Linux for your own collection and HTML 5

Introduction Note: I want to stress that I DO NOT CONDONE using this guide to encode movies that are infringing upon international and local copyright laws (which include the WIPO Treaty in Europe and the DMCA in the U.S). These examples ASSUME your encoding material in which you OWN The RIGHTS too! I will not be held responsible for individuals that are using it to encode copyrighted material in those respective countries! If there are disputes about this or any other questions please DO NOT hesitate to contact me right away! Thank you. This week I am going to focus on showing you how to transcode videos to WebM, which is playable in both VLC and most HTML 5 compatible web browsers including Firefox, Chrome, Opera, and I.E 10! If you recall way back several months ago (if you had been following my old blog) I showed you some code snippets for how to encode directly to WebM using an older version of libvpx 0.6.1 code named "Bali", that came out last year, but has since be
Read more