Dutch Court Rules WiFi Hacking Not a Criminal Offense 234
loekessers writes "Breaking in to an encrypted router and
using the WiFi connection is not an criminal offense, a Dutch court ruled. (Original article in Dutch; English translation.)
WiFi hackers can not be prosecuted for breaching router security. The judge reasoned that the student didn't gain access to the computer connected to the router, but only used the router's internet connection. Under Dutch law, breaking into a computer is forbidden. A computer in The Netherlands is defined as a machine that is used for three things: the storage, processing and transmission of data. A router can therefore not be described as a computer because it is only used to transfer or process data and not for storing bits and bytes. Hacking a device that is no computer by law is not illegal, and can not be prosecuted, the court concluded. "
Where is the line? (Score:4, Interesting)
Re: (Score:3)
ya, it stores all of the settings of the router, which determine where all the data is transmitted to...
Re: (Score:2)
So, to make it illegal, you need a router that you can connect a USB drive to, so it can serve files?
Mine serves files, the config section is a series of internal web pages...
Re: (Score:2)
Re:Where is the line? (Score:5, Insightful)
When you are breaking and entering someones wlan, you are not accessing these parts of the router. You are only gaining access to the transmission part of the device (AccessPoint), it's like finding a way to sneakily plug a cable into someone else his network (without tresspassing on his property). The safety of the other parts is not compromised (your not using the same passphrase for the default user of the device and the wlan, are you) .
The law used to deter wireless hacking has the word computer in it. Using specific devices is always a big risk in laws with fast evolving technologies. A judge decided to formulate a definition of the word computer. I personally think it was a good call, though I don't want any unautorized access to my wlan myself.
If you want to argue this should be illegal, a better comparison would be to compare it with stealing electricity.
Re: (Score:2)
It *is* stealing electricity - in small amounts. It also is trespassing into private property, eavesdropping on private communication, "breach of confidence, perpetrated for profit", i.e. fraud.
Forging concert tickets is illegal, sneaking into cinemas is illegal, riding the subway without a ticket is illegal. The same should apply to using a password-protected router owned by someone else without permission.
Re: (Score:3)
it's very comparable to those kinds of things, I'm guessing that since the hacking law was written with penalties assuming that it would be people breaking into bank servers or stealing credit card numbers the judge wasn't keen to apply such large penalties for something which has more in common with sneaking into a cinema or riding the subway without a ticket.
Re: (Score:2)
Re: (Score:2)
What, by ruling that a router is not a computer? Yah, good job there dingus -- boy is my face red!
Re:Where is the line? (Score:5, Informative)
As for other details, the case involves a guy posting a threat - on 4chan - to commit a school shooting and apparantly hacked the Wifi as a little camo'.
Re:Where is the line? (Score:5, Interesting)
Re: (Score:2)
Wait, the router presumably has caches which are logical files, so even if the guy wasn't reading any files, he was writing to them.
Re: (Score:3)
"Ruling aside, the law will most likely be augmented to include networks and network devices in addition to computers."
Because?
What's the problem about breaking in someone's network that makes it a criminal offense instead of a civil one? This rule is quite a sensible one, why should it be overruled?
Re: (Score:2)
It endangers the foolish notion that IP==Identity.
If any random stranger can connect to your WiFi, even if you have secured it with a reasonably strong WPA2 password, then suddenly it becomes much more difficult for large corporations to finger you for whatever kind of digital content violation happens to be popular at the time, just because your router had leased that IP from the ISP at the time.
As such, large corporations with incentive to be litigious and to forcibly equate IP with Identity for the purpo
Re: (Score:2)
Re: (Score:2)
Even if he did not cause financial loss it's still an act which should be illegal. After all, breaking into a private house is a crime even if you don't steal anything, don't read the diary of the owner, and don't damage anything in the process of breaking in.
And if the connection is encrypted, you can't even say the door was wide open. "The door lock wasn't strong enough" isn't a valid excuse.
Re: (Score:3)
If the router was using an encrypted connection, then they should at least be a fine, but only if real intrusion was demonstrated. If it wasn't encrypted then that's the owner's fault.
The door analogy fails in the sense that your building has a specific graphical location, with which by default I am outside. A wireless signal can encroach on space that I am in and therefore includes me in that space whether I like it or not. You could argue that when I am decrypting the signal I am simply making sense of th
Re: (Score:2, Informative)
You keep repeating that, it makes you look dumb. There is no confidence involved because the two parties have had no communication. There's also no profit involved. You also look retarded for quoting a dictionary as opposed to the relevant Dutch law. I'd even be willing to cut you some slack if you had a layman's argument as to why this was so, but as is, you should put the crack pipe down.
Re: (Score:2)
Before this court ruling, I though it was illegal to access even unprotected WiFi routers, now it turns out it's legel to access protected ones.
So what does this mean for all the people (both owners of routers and users) who want to enable free WiFi access; is it legal again?
Re: (Score:2)
Re: (Score:2)
It is still illegal to use the network of the neighbours. The intent of the prosecutor was to slap this 14 year old boy with jailtime. That hasn't worked. But theft of services is still illegal. The court has esthablished that theft of services when it comes to illegal use of WiFi is a civil matter, not a criminal one.
Re: (Score:2)
+5 Informative
Re: (Score:2)
Oddly enough, most routers run some form of linux these days. Sounds like a computer to me.
Seems odd that just because it stores only a small amount of data it doesn't qualify as a computer.
But aren't the Dutch one of the same countries that came down hard on google for just accidentally intercepting data, and not even trying to crack a router?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This is why having your wireless outer also be your file server is a bad idea. You are essentially getting one door to unlock to get access to all the goodies. If your drive is connected to a server with a separate level of security then you have just made it that much harder to access that data for the unauthorised.
As to the power usage thing, this is one reason why I would like to see "wake on demand" or other similar technologies take off across the board. These technologies allow you to put your compute
Re: (Score:2)
How many "bits and bytes" does a device have to store to be declared a computer? I mean, mine stores a password, those are a few bits, where is the limit? I don't know enough about the case to comment on the details, but it seems an odd thing to base a ruling on to me.
Don't forget that lots of the routers now have usb ports included. So you can turn your "router" into a "computer" just by plugging in a usb memory stick.
How much data are you willing to expose due to simple wireless key decryption? Secure data should be on another server with separate authentication, IMHO. ''
At one place I work the wireless connection only gives you access to the internet. If you want access to the company network, then you will have to do it using the VPN. It may sound a bit paranoid, but at least VPN security is more robust than wireless security.
IF this passed in the US... (Score:2)
Speaking as though this passed in the US, I'm mildly concerned. There are plenty of extra costs that may be incurred, such as metered bandwidth or access of illegal materials. If this were to fly, it would also necessitate that other people using your network without authorization would not come back to bite the network holder.
Re: (Score:3)
Then you better start to learn how to secure your router. Sorry, but sympathy for those unable to secure their systems and unwilling to learn how to do it is not forthcoming.
Re: (Score:3)
Sorry, but sympathy for those unable to wear body armor capable of stopping a .50 BMG AP round is not forthcoming.
Re:IF this passed in the US... (Score:5, Insightful)
How is this different than stealing your car, taking it for a spin, and then putting it back in your driveway?
Would you respond "Learn to install a better alarm and not allow your car to be hot-wired so easy"?
You don't have to install an unbreakable lock to be protected from theft in the eyes of the law.
Re: (Score:3)
And more to the point, if someone stole your car and used it as a getaway in a bank robbery, the bank wouldn't sue you for the money they lost.
Re: (Score:2)
If you truely believe in 100% secure routers, you are a fool.
Re: (Score:3)
yeah, we shouldn't make any stealing illegal. Learn to lock your house more if you dont want burgers.
This makes me want to leave my door unlocked, with the hope that the reverse hamburglar deposits burgers in my house.
Re: (Score:2)
Re: (Score:3)
The issue is "should this be subject of Civil or Criminal proceedings?"
Civil litigation could include tortuous interference on the grounds of directly, or indirectly causing the network owner to incur costs from bandwidth usage or inappropriate network usage.
With small claims court having a $5,000 limit and the much lower standards of proof required for civil litigation vs criminal litigation, it seems likely that you would be more likely to get compensated for a few thousand dollars out of civil litigatio
Re: (Score:3)
It
Re: (Score:2)
That would be a civil case, this case is purely criminal law
That can be sued for in civil court (Score:2)
As a dutch person, I have of course followed this and the judge simply stated that with the current law, there is no ground for criminal prosecution in breaking into a PURE wifi-router. A lot of modern wifi-routers for consumers are no longer just plain routers but offer computer services like bittorrent and network attached storage.
Anyway, the judge did say you could start a civil case against the hacker.
But also keep in mind that the dutch legal system is extremely wonky, ruled by judges who are completel
Re: (Score:2)
[citations needed]
No, the judge has said no such thing. In fact, I wholeheartedly believe this same judge would declare the unauthorized taking of fuel from a car a criminal offense. The judge said that there is no criminal law against simply using someone else's network. And he is right: the
Re: (Score:2)
Re: (Score:2)
But this is a very thin line.
Interesting, but (Score:2)
Honestly, this kind of action should have its own set of laws to cover it rather than relying on existing laws that weren't designed to cover such activities.
Re: (Score:2)
The judge ruled, if I'm reading it correctly, that the router did not store "personal" information, and/or the hacker did not attempt to access it.. its a bit vague
I think their laws, or previous court cases, ruled or created 'definitions' of devices that lead the judge to rule it's not a computer as it's intent is not to store a person's private information... All "computerized devices" have bits and bytes stored...
As for previous cases, the article referenced a 2008 article where 'piggybacking' on interne
Re: (Score:2)
Re: (Score:2)
Apparently Dutch courts are smart enough to recognize the spirit of the law. I wish they would teach that skill to the American courts.
In other words, a buffer is technically storage, but is not what most people mean when they say a computer has storage. When most people say storage, they mean persistent storage of user data, not buffers and not configuration. You don't claim a light switch is a computer because it saves one bit of state information do you?
Re: (Score:2)
My router does all three. (Score:2)
My router stores configuration data. My router processes DHCP requests. My router transfers packets between the internet and my network.
This judge fucked up.
LK
Re: (Score:2)
Re: (Score:2)
What you speak of is called "theft of services".
LK
My Airport Base Station with a Time Machine drive (Score:2)
would beg to differ.
However, it still isn't a computer. Embedded devices might be functionally capable of doing many of the same things, but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.
In layman's terms, the question can generally be worded as, "Can I install apps on it, write a term paper
Re: (Score:2)
Just to clarify, cracking access to the disk should be criminal trespass in that you are accessing a resource (disk) that is effectively a part of my computer even though it happens to be physically attached using the network.
Seriously? Five minutes between posts for logged in users? What's wrong with this site? That's okay. I'll just click every second until it lets me post.
Re: (Score:2)
Seriously? Five minutes between posts for logged in users?
I think you need 25 posts modded in-something to get fast posting privileges.
Re: (Score:2)
It was annoying at two. Now, it's just obnoxious.
Re: (Score:2)
So servers aren't computers?
Honestly, I know people who use Linux boxes as routers. I also know of routers that can be configured to run small web servers (not just the configuration pages, mind you).
This decision is really, really weird.
Citation for how you define "computer" (Score:2)
but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.
This is true of a "general purpose computer". Have you a citation that "computer" necessarily means "general purpose computer"?
Re: (Score:2)
would beg to differ. However, it still isn't a computer. Embedded devices might be functionally capable of doing many of the same things, but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.
Keep begging, I'm not letting you "differ"; Not with that bogus argument anyhow.
I SSH into my WRT54GL router w/ Tomato Linux firmware. [polarcloud.com] My router runs Linux from the factory and has a "firmware upgrade" option that I used to install the aforementioned Tomato Linux.
I write my own small C programs, cross compile them for the router scp (copy) them into and run them in the router. It is every bit as much a computer as a web server is -- Hint: you use the HTTP web server interface to configure most every ro
Re: (Score:2)
And you've hacked the router to do all of this. That's not the way a router was intended to be used. By that same definition, my laptop is a dinner plate, and a few of my old LEDs are firecrackers.
The purpose of laws against cracking computers is to prevent data and/or identity theft. To the extent that your router contains enough data to steal... maybe... but that's *really* a stretch.
Besides, nobody is talking about cracking into the device itself anyway, but rather cracking access keys to gain access
Re: (Score:2)
And you've hacked the router to do all of this. That's not the way a router was intended to be used. By that same definition, my laptop is a dinner plate, and a few of my old LEDs are firecrackers.
Define "hacked". I used the router's own firmware upgrade feature. My point is that "router" doesn't have to mean embedded device -- Hell, take any computer with more than 2 nics on it and you've got a router. Some of the "factory" firmware upgrades add additional features -- Clearly the functionality is PROGRAMMABLE -- Guess what, that makes it GENERAL PURPOSE.
Your problem is that you are defining a "computer" by the software that it comes with -- from the factory. I'll have you know that none of the
Re: (Score:2)
No, I'm defining it based on the hardware's intended purpose. A router was designed to move bits around from one network to another. It was built with the absolute minimum amount of hardware needed to do a single, specific task.
By contrast, a traditional computer that happens to have two NICs was designed for general computing use, and is being used for a more limited task. There's a fairly fundamen
Re: (Score:2)
Re: (Score:2)
Depending on how you define I/O, they either do or do not pass that. I would argue that the original intent of the term was to refer to devices that provide input and output directly to the user, e.g. a keyboard and screen, in which case they don't.
Either way, the original intent of the term was to explain the difference between parts that were designed to be used for a single purpose via parts that were designed to be programmed for arbitrary computation. That distinction, thanks to economies of scale on
Re: (Score:2)
Re: (Score:2)
However, it still isn't a computer. Embedded devices might be functionally capable of doing many of the same things, but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.
Ever hear of DD-WRT? Optware? And no, before you say it, a firmware update is not "hacking the device" by any stretch of the imagination. By your logic, my Asus router would be a computer, but my linksys router wouldn't be.
Nonsense. Here's what Miriam Webster has to say on the issue:
computer
noun, often attributive \km-pyü-tr\
Definition of COMPUTER
: one that computes; specifically : a programmable usually electronic device that can store, retrieve, and process data
Any router I've ever seen would fi
Re: (Score:2)
Yes, it is. The manufacturer didn't design those routers with the intent that people would run their own applications on them. Sure, they might have been kind to homebrew hackers and added a little more RAM and flash than their firmware required in certain models, but clearly the assumption for these devices is that the firmware upgrade mechanism will be used for running prepackaged, manufacturer-pr
Re: (Score:2)
Re: (Score:2)
By computer, I'm using the term to mean "general purpose computer", which is how the term has been used by the vast majority of the public for at least a couple of decades. By loose enough definitions, my wristwatch is a computer. That doesn't mean it is what people intended to protect when they wrote laws protecting against computer break-ins.
An Internet kiosk either can meet those definitions but has been specifically limited by the owner (a user) by installing software so that other users cannot do tho
Routers do store and process and transmit data... (Score:2)
Especially routing information. They store the results of ARP requests too. And they process information to decide how to forward packets. Apparently the judge wasn't too clear on how routers work.
Re: (Score:2)
AFAICT, the law requires that a computer be accessed without authorization AND that "personal data" (I cannot find what their legal definition of this is exactly) must be exposed as a result.
Unless said router also has NAS capabilities in use or the log files can be considered personal data, the law does not apply.
Re: (Score:2)
Re: (Score:2)
Questionable (Score:2)
Although I'd not say that someone using such a hacked WiFi should not be punished, I find their reasoning more than questionable. I run a dual core 400 MHz P-II as a router (WLAN AP with 63 chars WEP2 key), so hacking mine would be criminal. I don't see why hacking a - properly secured - usual WLAN router box should be treated differently. I'd decide that based on the intention - if it was just for regular internet usage - OK then just give the offender a slap on his ass, but if it was to commit serious cr
Re: (Score:3)
I run a dual core 400 MHz P-II as a router ...
Ouch.
Not that I have anything against hardware reuse ... but seriously, if you shelled out some cash to upgrade to an Atom-based box, the reduction in electrical usage would probably be enough to recoup the cost within a year.
Re: (Score:2)
I know, I know. A cigar-case sized box with 3* Gbit LAN and 1* 54 Mbit (or better) WLAN capable of running IPCop or similar would cost me a little over 200 Euros. Have some more urgent problems right now, but it's on my list.
But, then I have to fear the Dutch hackers, whom I'd rather not mess with. Fortunately I could sue them here in Germany, thanks to being in the EU. :)
Technologically Ignorent (Score:2)
A switch isn't necessarily a computer but a router definitely is. Back in the day all routers were physical PC. Now they are embedded systems. And they store all sorts of information, most importantly routing information!
But a dunce cap on this guy and make him sit in the corner.
Re: (Score:2)
A switch isn't necessarily a computer but a router definitely is.
The only difference between a router and a switch is the network layer they operate upon - switches operate on layer 2 traffic, routers operate on layer 3 traffic (or potentially layer 4 traffic if it is doing NAT and stateful firewalling). In fact, most modern managed switches have some level of layer 3 support (e.g. IGMP snooping).
I'm not even clear that the article is talking about a router - it could very easily be talking about a wireless bridge, in which case it too is only operating on layer 2 traff
Thats inacceptable. (Score:2)
A router is a computer and it stores information. Many routers have access logs. For me breaking into an encrypted WLAN is like mechanically removing the lock from an ethernet port on private property and plugging youerself in. In the normal case you still can log what is currently going on (Wireless can not be switched, so you see all packets), and in the worst case see logs or manipulate the router without any trace.
Should i move to the netherlands, i will use a VPN service to access the internet and a ca
Re: (Score:2)
dd-wrt (Score:2)
Okay now, tell me about routers (Score:2)
Jules: Well, hacking routers is legal there, right?
Vincent: Yeah, it's legal, but it ain't a hundred percent legal. I mean, you can't walk into a restaurant, roll out your netbook, and start wardrivin' away. They want you to hack routers in your home or certain designated places.
Jules: Those are router bars?
Vincent: Breaks down like this, okay: it's legal to hack a router, it's legal to own one, and if you're the proprietor of a router bar, it's legal to sell r
no under criminal law, yes under civil law (Score:2)
It might be good to note, that these actions can still be prosecuted under civil law. That is, the intruder can still be held accountable for costs incurred by his use of the network. Having said that, I personally still think this should be a criminal offense, as it is a clear breach of privacy. What I do on my local network should be my business alone. Right now, the defense is required to prove eavesdropping on the network itself, which is very hard to do.
What if your router is a PC? (Score:2)
I use a old Pentium 3 running Debian as a router. Ofcourse i didn't put a wireless card in it, since i don't need wireless connectivity, i doubt most people do, it's probably out of laziness that people use it instead of just pluggin in an ethernet cable... (unless your device doesn't have an ethernet port).
By the way, you can turn off the wireless connectivity on most routers and you should, if you're not using it...
Actually I like it in a way (Score:2)
I'll dissent a bit and say that IMO this is a fairly good ruling.
That's not to say it should be legal, but it should fall under a different law, something like "theft of services". Like whatever law applies to hooking up to somebody else's electricity or water supply.
I don't think breaking into somebody else's computer, and using their internet connection without permission are equivalent. They're done for different reasons, though they may be connected, and the seriousness isn't the same.
Wrong (Score:2)
I disagree strongly with their ruling. If I place a password on my router and use encryption, it is OBVIOUS it is a private network. Breaking into that network for ANY reason is, essentially, trespassing and SHOULD be a criminal offense. It doesn't matter the reason.
Under their logic, I could place locks on my fences on my property, but someone would be allowed to go onto my property, pick the locks, and break into my backyard... but that is OK as long as they wear a blindfold?
Just having a wireless netw
Username/pw was handed over by owner of router (Score:2)
Note that the neighbour has given up the password of the (ADSL) router voluntarily because the internet connection of the suspect (probably cable) was sometimes unstable. So the message was just posted over a connection differently than the one he owned, probably to disguise his location. Nonetheless, it seems he just used the internet connection, albeit in a way that is not according to Dutch law. The neighbour has just been inconvenienced and will probably now think twice when somebody asks her to share h
basic reasoning escapes judge (Score:2)
The results of "breaking into" a router (whether it is wide open or not) is impersonation/identity theft and theft. If someone connects and then behaves themselves, then the results of the offense are nil. The issues become apparent when the intruder downloads GB of warez and you incur overage charges from your ISP and a visit from the police.
As for breaking in itself, instead of a car analogy, let's use a bike analogy. I like near a large cottage community that has free painted community bicycles. It'
Re: (Score:3)
It seems the law, as the judge rules, is that you have to "Browse" through the personal information. If you hack the router and gain access, but stop there and only use it for connecting, you are not breaking the law they have. It appears "Intrusion" requires you view the information on the device...
I suppose a poor analogy would be picking the lock on a house, but not opening the door... when no law against 'lock picking' exists... which in this case also did not share the key with anyone else, nor leave t
Theft of service (Score:3)
It appears "Intrusion" requires you view the information on the device...
Do they have a "theft of service" law in the Netherlands? If so, running up a big Internet bill might be grounds for that.
Re: (Score:2)
Almost any connection is really unlimited here. Starting at about 20-25 euro's a month for a 20mbits/1mbits connection.
Re: (Score:3)
I suppose a poor analogy would be picking the lock on a house, but not opening the door... when no law against 'lock picking' exists... which in this case also did not share the key with anyone else, nor leave the house vulnerable to another person with ill intent
A better analogy would be picking the lock, walking in, kicking your feet up on the coffee table, turning on the TV, and using their phone to call up the local pizza and/or beer delivery place. Might not be illegal, but it certainly should be.
Re: (Score:2)
A better analogy would be picking the lock, walking in, kicking your feet up on the coffee table, turning on the TV, and using their phone to call up the local pizza and/or beer delivery place. Might not be illegal, but it certainly should be.
The GP is wrong.
In many states, merely walking around with a lockpick set is illegal.
AFAIK, in all states, putting a lockpick into a keyhole is considered "entering" even if you fail to successfully pick the lock or do, but don't go inside.
Re: (Score:2)
That's trespassing. If broadcasting a signal into your house is trespassing, I have five or six neighbors who I could sue, since I clearly receive their packets inside my house.
Re: (Score:2)
If you hack the router and gain access, but stop there and only use it for connecting, you are not breaking the law they have.
If I understand the article correctly, we should probably qualify this statement to read:
If you hack the router and gain access, but stop there and only use it for connecting, you are not breaking the criminal law they have.
Re: (Score:2)
Not the case here
http://yro.slashdot.org/comments.pl?sid=2044540&cid=35539746
Their courts already ruled using another persons internet is not illegal. This law is broken specifically when you try to go the next step (try to access personal information)
If the hacker tried to take log files, or go into another computer, or browse through files... He would likely have been covered. Since he sniffed the key and used it.. without doing gathering any personal information (except maybe "god" "password" "admin"
Re: (Score:2)
20 hours of community service after publically threatening to shoot everyone at a high school? What a joke.
20 hours is a bit short, but we're not talking about the US where typical children have easy access to guns and are anti-social enough to go through with it.
What WOULD be a good punishment for a kid who made an idle threat on the internet?
Re: (Score:2)
Re: (Score:2)
Suppose you sent your wife to Best Buy to get you a computer, and she came back with a router. Are you satisfied? It does store, process and transmit information. But somehow, something seems to be missing...
Re: (Score:2)
No, it states that he retrieved the username/password by asking them. The found a note next to his XBox from the neighbour next door. Both she and her husband had voluntarily given this information. Extra points for trying to read Dutch articles though :)