Finland To Legalize Use of Unsecured Wi-Fi 151
Apotekaren writes "The Finnish Ministry of Justice has started preparing changes to a current law that criminalizes using unsecured wireless hot spots (Google translation; Finnish original). The reasoning includes the impossibility of tracking unlawful use, the ease of securing networks, and the lack of real damage done by this activity. It is also hard for a user to know if an unsecured network is intended for public use or not. The increased ubiquity of legal, open networks in parks, airports, and other public places has also influenced this move by the Ministry of Justice."
There's got to be a better way... (Score:5, Interesting)
We need a standard for secure WiFi that allows guests in, most likely by giving them a personal shared key on their receipt or ticket. The big problem with unsecured WiFi is that there's no accountability. Some video-downloading hog can take all the bandwidth, and trying to use anything on 2.4 GHz during a Apple or Google developer conference presentation is near impossible. WiFi was a good first take, but we've got to work QoS and authentication in just like we have for wired just for safety's sake. Otherwise, these laws banning open WiFi actually make sense.
Barnes and Nobel (Score:4, Interesting)
Re:There's got to be a better way... (Score:4, Interesting)
I agree. Where's the middle ground here? I guess making anyone who wants to use the public stuff register their MAC would be a huge pain in the arse, not to mention how easily that is spoofed. What about logging in through a proxy with user-name and password? It would have to be something that changes frequently otherwise they would be swiped by MitM attacks. Why not some sort of biometric credentialing that requires fingerprint or retina? The whole idea is to satisfy audit-tracking and accountability policies but biometrics sounds like a pain, once again.
Surely someone here has some good ideas?
Re:There's got to be a better way... (Score:4, Interesting)
So because open WiFi doesn't work in the most extreme situations, everyone should be legally obligated not to use it? Really? That is your argument? Open WiFi works just fine at my house (with a separate 'guest' SSID that doesn't grant network access obviously), and my place of business, and the college I attended, and the park downtown, and any number of other situations. There's absolutely no reason to ban operating an open WiFi connection except to make copyright content owners happy.
Re:Name Change (Score:1, Interesting)
This didn't happen by accident. The Ministry of Justice actually recognised the Finnish Pirate Party as having expertise in the subject and asked for opinions on the matter. Glad to see they also took heed of the advice given, especially considering the party does not yet have any representatives in the parliament.
Re:There's got to be a better way... (Score:1, Interesting)
Forget it. Wifi is in unlicensed bands. You simply cannot protect against uncooperative users. You don't have to provide services to them, but they can always use the band as they wish. For example, it only takes two wireless video bridges to kill 2.4GHz Wifi within range of the bridges. On a Wifi network, the access point can already shape the traffic. There are other modes than open or shared key, so the individual encryption without a complicated user interface is not the norm merely due to lack of convention, not due to a technical deficiency. It is worth noting though that the encryption on the wireless interface is security theater in the case of public wireless networks, because it lacks authentication: How can the customer tell if he's logging into the wireless network of the coffee shop or the friendly hacker at the next table?
Re:There's got to be a better way... (Score:3, Interesting)
I don't understand, then.
I turn on my WiFi device, and it looks for permission to use a connection. It finds a router which is clearly broadcasting its presence in a public place.
It then asks the router (which has been configured by its owner) for permission to use the network.
The router (which has been configured by its owner) grants permission and hands out an IP address for my device's use.
What part of unauthorized could possibly apply here?
This law simply clarifies the definition of "unauthorized".
Having said that, you miss the point I was trying to make.
If I want to use your open network to sniff out your credit card number, your Facebook account credentials, snoop your open network shares over your open network, there is not a law on the books which is going to technically prevent me from doing so. I'm going to collect that information, and there's about a 99.999% chance no one will ever catch me doing so. Meanwhile, you're in your house thinking the law is somehow keeping you safe. Hint: It isn't.
You might sit in your house thinking the law protects you, but that's a dangerous sense of security. It actually encourages you to run your network "open", because you think the law protects you.
If you want the law to protect your WiFi access point from unauthorized use, then this law is exactly what you want.
It establishes clear guidelines as to what "authorized" means, makes you an active participant in protecting yourself from harm, and sets a foundation that both protects you from evildoers and allows the police to identify truly unauthorized users at the same time.
Re:There's got to be a better way... (Score:2, Interesting)
It was easier for me to just turn off WPA2 than to give my string or allow MAC addresses for some one-time guests the other day. Even WPS is a pain in the neck.
I think your idead of receipts is wonderful. What we need is for a company to put one Guest Button on every router, with a big juicy text LCD screen. You push the button and the LCD gives you a SHORT temp password (aiming 64-char keys would defeat the purpose) with its own LAN for the people in front of you. After a set period (configurable in your router) the lan disappears, and the MAC addresses are logged in case you want to add them to your security.
My DLink 825 is proof that companies trust users to do pretty complext stuff on consumer routers, down to IPv6 configuration, DHCP management and access rules. I'm suggesting just another feature that will sell your routers as user friendly.
Re:There's got to be a better way... (Score:3, Interesting)
What part of unauthorized could possibly apply here?
At least in most states in the US, there's technical ability and then there's legal authorization. I technically have the ability to open my neighbor's door and walk into their house. I do not have the legal authorization to do so. This is analogy is more apropos than most because my neighbor is handicapped and has a button which opens the door automatically if it is unlocked.
I have the technical ability to connect to most open access points. I may not have the legal authorization to do so. Just because the router is configured (by default, in most cases) to hand out addresses does not indicate that there's a legal authorization to use the network. Though it seems like about half of Slashdotters think that if you can do something, you should be authorized to--that simply isn't the way the law works.
If I want to use your open network to sniff out your credit card number, your Facebook account credentials,
These may fall under some state wiretapping laws. But your choice of wording is somewhat unfortunate. You probably aren't using the network, in these cases. You're just capturing data transmissions.
snoop your open network shares over your open network
I guess this depends on what you mean by 'snoop.' Capture files as they go across the wire? See above. Connect to the shares? That's likely a violation of the Computer Fraud and Abuse Act.
Meanwhile, you're in your house thinking the law is somehow keeping you safe.
The law doesn't perform actions, so anyone who thinks that any law keeps them safe is being silly.
What happens is that people fear getting caught, and so they don't take the actions. If there's almost no chance that they'll be caught, sure, they might not care. But that's why there are often very high penalties for these types of crimes.
Regardless, there are ways of getting caught doing passive sniffing. The law is not unenforceable. If I see you in your car outside of my house with a laptop, you might be up to no good. I could call the police to have them investigate.
Re:We have the bandwidth (Score:1, Interesting)
I'm paying 45 euros/month for a 110Mb line (yes, actual speed) here in Helsinki. So bandwidth wouldn't be a problem. OTOH, what might become interesting might be the operator agreements, wouldn't the operators want to stop people from sharing their connection? And how is anyone ever going to be able to use IP addresses as evidence anymore if you can just claim that you have an open network.
Re:Scandinavian countries seem wise (Score:3, Interesting)
There is a funny thing about that law. Up to this point, NOT A SINGLE COMPANY USED IT.
Because there is a clause in the law stating that to use the law to monitor your employees, you are required to inform a government official in charge of privacy investigation, essentially making it public that you're using the law. And the public backlash because of the law was so heavy, that not a single company wants to be known as "the first company to start using that unfair snooping law".
So the law is in place, but no one wants the bad rep for using it. So it's not being used. A sort of classic nordic common sense, very similar to what we did when christians came with their crusades to bring the religion. Obey them while they have the upper hand, but dig your idols back from the ground when the guys with big swords leave. Same here, once the big money behind the law lobby has gone away, the pressure has been put not to actually put law to use.
This sort of common sense is why our criminal law allows police to conduct immediate house searches without court warrant based on suspicion of any crime with potential punishment of 6 months jail or more. It's there, and it's used to catch mainly marijuana growers and resellers. But its abuse for purposes other then that is minimal-to-nonexistent, because folks at police know - if they abuse it even once in a noticeable way, they'll lose the law.
It's that mutual respect between the law and it's executors and general population that is unique to Nordic countries, and why authorities tend to have more leeway legally, and yet rarely if every abuse it clocking lowest corruption figures in the world.