Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Crime Encryption The Courts Wireless Networking

Dutch Court Rules WiFi Hacking Not a Criminal Offense 234

loekessers writes "Breaking in to an encrypted router and using the WiFi connection is not an criminal offense, a Dutch court ruled. (Original article in Dutch; English translation.) WiFi hackers can not be prosecuted for breaching router security. The judge reasoned that the student didn't gain access to the computer connected to the router, but only used the router's internet connection. Under Dutch law, breaking into a computer is forbidden. A computer in The Netherlands is defined as a machine that is used for three things: the storage, processing and transmission of data. A router can therefore not be described as a computer because it is only used to transfer or process data and not for storing bits and bytes. Hacking a device that is no computer by law is not illegal, and can not be prosecuted, the court concluded. "
This discussion has been archived. No new comments can be posted.

Dutch Court Rules WiFi Hacking Not a Criminal Offense

Comments Filter:
  • Where is the line? (Score:4, Interesting)

    by mordenkhai ( 1167617 ) on Friday March 18, 2011 @11:14PM (#35539630)
    How many "bits and bytes" does a device have to store to be declared a computer? I mean, mine stores a password, those are a few bits, where is the limit? I don't know enough about the case to comment on the details, but it seems an odd thing to base a ruling on to me.
    • by Sir_Sri ( 199544 )

      ya, it stores all of the settings of the router, which determine where all the data is transmitted to...

    • by cappp ( 1822388 ) on Friday March 18, 2011 @11:31PM (#35539708)
      The court's ruling itself can be found here [googleusercontent.com]. It's a little wonky linguistically and the frames are messy, but scroll down and you'll find some really interesting details. For your question it seems the court considered two factors - was it a computerised device (which the translation makes difficult to establish...seemingly could be read either way) and second, was there an intrusion which exposed personal data. Since the latter didn't occur it doesn't matter if the former is true.

      As for other details, the case involves a guy posting a threat - on 4chan - to commit a school shooting and apparantly hacked the Wifi as a little camo'.
    • by Idefix97 ( 725474 ) on Friday March 18, 2011 @11:40PM (#35539746)
      I've read the original article mentioned in Dutch, and the gist of it is really that it isn't illegal to simply use someone else's network (even when it is encrypted), but it would be illegal to start browsing electronic files in that network.
      • by jd ( 1658 )

        Wait, the router presumably has caches which are logical files, so even if the guy wasn't reading any files, he was writing to them.

      • by mwvdlee ( 775178 )

        Before this court ruling, I though it was illegal to access even unprotected WiFi routers, now it turns out it's legel to access protected ones.
        So what does this mean for all the people (both owners of routers and users) who want to enable free WiFi access; is it legal again?

        • by brusk ( 135896 )
          Is it possible that the rules vary from country to country? Nah...
        • by burne ( 686114 )

          It is still illegal to use the network of the neighbours. The intent of the prosecutor was to slap this 14 year old boy with jailtime. That hasn't worked. But theft of services is still illegal. The court has esthablished that theft of services when it comes to illegal use of WiFi is a civil matter, not a criminal one.

    • by icebike ( 68054 )

      Oddly enough, most routers run some form of linux these days. Sounds like a computer to me.
      Seems odd that just because it stores only a small amount of data it doesn't qualify as a computer.

      But aren't the Dutch one of the same countries that came down hard on google for just accidentally intercepting data, and not even trying to crack a router?

      • I don't think the person was breaking into the router itself, but into the network. Just like how logging into a website is different to logging into the webserver that is hosting said website.
    • by Yvanhoe ( 564877 )
      That's a law, stop thinking it needs to be as clearly defined as a technical specs. It just exists to give the impression that rulings are not arbitrary.
  • Speaking as though this passed in the US, I'm mildly concerned. There are plenty of extra costs that may be incurred, such as metered bandwidth or access of illegal materials. If this were to fly, it would also necessitate that other people using your network without authorization would not come back to bite the network holder.

    • Then you better start to learn how to secure your router. Sorry, but sympathy for those unable to secure their systems and unwilling to learn how to do it is not forthcoming.

      • Sorry, but sympathy for those unable to wear body armor capable of stopping a .50 BMG AP round is not forthcoming.

      • by cortesoft ( 1150075 ) on Saturday March 19, 2011 @02:03AM (#35540322)

        How is this different than stealing your car, taking it for a spin, and then putting it back in your driveway?

        Would you respond "Learn to install a better alarm and not allow your car to be hot-wired so easy"?

        You don't have to install an unbreakable lock to be protected from theft in the eyes of the law.

        • by sjames ( 1099 )

          And more to the point, if someone stole your car and used it as a getaway in a bank robbery, the bank wouldn't sue you for the money they lost.

      • by mwvdlee ( 775178 )

        If you truely believe in 100% secure routers, you are a fool.

    • by micheas ( 231635 )

      The issue is "should this be subject of Civil or Criminal proceedings?"

      Civil litigation could include tortuous interference on the grounds of directly, or indirectly causing the network owner to incur costs from bandwidth usage or inappropriate network usage.

      With small claims court having a $5,000 limit and the much lower standards of proof required for civil litigation vs criminal litigation, it seems likely that you would be more likely to get compensated for a few thousand dollars out of civil litigatio

      • This is exactly what this Dutch court case is about. The judges did not rule that breaking into someone's WiFi is now allowed; they ruled that it is not a criminal offence defined as "computervredebreuk" (lit. "violating a computer's peace"). It is still subject to civil proceedings. Although... interestingly, in 2008 a Dutch judge ruled that using someone else's bandwidth isn't theft because bandwidth and data "aren't goods". Maybe this jurisprudence adds up to WiFi hacking being legal, after all.

        It
    • by Kharny ( 239931 )

      That would be a civil case, this case is purely criminal law

    • As a dutch person, I have of course followed this and the judge simply stated that with the current law, there is no ground for criminal prosecution in breaking into a PURE wifi-router. A lot of modern wifi-routers for consumers are no longer just plain routers but offer computer services like bittorrent and network attached storage.

      Anyway, the judge did say you could start a civil case against the hacker.

      But also keep in mind that the dutch legal system is extremely wonky, ruled by judges who are completel

      • But also keep in mind that the dutch legal system is extremely wonky, ruled by judges who are completely out of touch with reality.

        [citations needed]

        Because right now, this judge has declared that taking fuel from his car is not theft.

        No, the judge has said no such thing. In fact, I wholeheartedly believe this same judge would declare the unauthorized taking of fuel from a car a criminal offense. The judge said that there is no criminal law against simply using someone else's network. And he is right: the

        • And let us all not forget that The Netherlands have a Civil Legal system, not a Common one. So a judge can only rule based on the laws that are in place.
    • by Krneki ( 1192201 )
      Depends if the owner had any cost, privacy issue, ... I agree if there was no harm done there shouldn't be any penalty,
      But this is a very thin line.
  • Interesting, but don't routers have buffers, which store information, albeit only temporarily? Not to mention RAM for various things.

    Honestly, this kind of action should have its own set of laws to cover it rather than relying on existing laws that weren't designed to cover such activities.
    • by Mitsoid ( 837831 )

      The judge ruled, if I'm reading it correctly, that the router did not store "personal" information, and/or the hacker did not attempt to access it.. its a bit vague

      I think their laws, or previous court cases, ruled or created 'definitions' of devices that lead the judge to rule it's not a computer as it's intent is not to store a person's private information... All "computerized devices" have bits and bytes stored...

      As for previous cases, the article referenced a 2008 article where 'piggybacking' on interne

    • by sjames ( 1099 )

      Apparently Dutch courts are smart enough to recognize the spirit of the law. I wish they would teach that skill to the American courts.

      In other words, a buffer is technically storage, but is not what most people mean when they say a computer has storage. When most people say storage, they mean persistent storage of user data, not buffers and not configuration. You don't claim a light switch is a computer because it saves one bit of state information do you?

  • My router stores configuration data. My router processes DHCP requests. My router transfers packets between the internet and my network.

    This judge fucked up.

    LK

    • Did you buy your router to store and process data? No, you bought it to move data from one place to another. That is probably the abstraction level of "process" and "store" used to define this law. Maybe the law is wrong. But remember that judges in criminal cases are not there to make "fair" or "just" rulings; they are there to apply the law as it stands. It is up to legislators and politicians to codify what is fair and just into those laws.
  • would beg to differ.

    However, it still isn't a computer. Embedded devices might be functionally capable of doing many of the same things, but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.

    In layman's terms, the question can generally be worded as, "Can I install apps on it, write a term paper

    • by dgatwood ( 11270 )

      Just to clarify, cracking access to the disk should be criminal trespass in that you are accessing a resource (disk) that is effectively a part of my computer even though it happens to be physically attached using the network.

      Seriously? Five minutes between posts for logged in users? What's wrong with this site? That's okay. I'll just click every second until it lets me post.

      • by tepples ( 727027 )

        Seriously? Five minutes between posts for logged in users?

        I think you need 25 posts modded in-something to get fast posting privileges.

    • by Nemyst ( 1383049 )

      So servers aren't computers?

      Honestly, I know people who use Linux boxes as routers. I also know of routers that can be configured to run small web servers (not just the configuration pages, mind you).

      This decision is really, really weird.

    • but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.

      This is true of a "general purpose computer". Have you a citation that "computer" necessarily means "general purpose computer"?

    • would beg to differ. However, it still isn't a computer. Embedded devices might be functionally capable of doing many of the same things, but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.

      Keep begging, I'm not letting you "differ"; Not with that bogus argument anyhow.

      I SSH into my WRT54GL router w/ Tomato Linux firmware. [polarcloud.com] My router runs Linux from the factory and has a "firmware upgrade" option that I used to install the aforementioned Tomato Linux.

      I write my own small C programs, cross compile them for the router scp (copy) them into and run them in the router. It is every bit as much a computer as a web server is -- Hint: you use the HTTP web server interface to configure most every ro

      • by dgatwood ( 11270 )

        And you've hacked the router to do all of this. That's not the way a router was intended to be used. By that same definition, my laptop is a dinner plate, and a few of my old LEDs are firecrackers.

        The purpose of laws against cracking computers is to prevent data and/or identity theft. To the extent that your router contains enough data to steal... maybe... but that's *really* a stretch.

        Besides, nobody is talking about cracking into the device itself anyway, but rather cracking access keys to gain access

        • And you've hacked the router to do all of this. That's not the way a router was intended to be used. By that same definition, my laptop is a dinner plate, and a few of my old LEDs are firecrackers.

          Define "hacked". I used the router's own firmware upgrade feature. My point is that "router" doesn't have to mean embedded device -- Hell, take any computer with more than 2 nics on it and you've got a router. Some of the "factory" firmware upgrades add additional features -- Clearly the functionality is PROGRAMMABLE -- Guess what, that makes it GENERAL PURPOSE.

          Your problem is that you are defining a "computer" by the software that it comes with -- from the factory. I'll have you know that none of the

          • by dgatwood ( 11270 )

            Your problem is that you are defining a "computer" by the software that it comes with -- from the factory.

            No, I'm defining it based on the hardware's intended purpose. A router was designed to move bits around from one network to another. It was built with the absolute minimum amount of hardware needed to do a single, specific task.

            By contrast, a traditional computer that happens to have two NICs was designed for general computing use, and is being used for a more limited task. There's a fairly fundamen

        • sorry do you know anything a "general purpose" computer has a specific technical meaning in CS. and all routers pass that
          • by dgatwood ( 11270 )

            Depending on how you define I/O, they either do or do not pass that. I would argue that the original intent of the term was to refer to devices that provide input and output directly to the user, e.g. a keyboard and screen, in which case they don't.

            Either way, the original intent of the term was to explain the difference between parts that were designed to be used for a single purpose via parts that were designed to be programmed for arbitrary computation. That distinction, thanks to economies of scale on

            • what point are you trying to make a router can be made to run arbitrary code what does IO have to do with it?
    • However, it still isn't a computer. Embedded devices might be functionally capable of doing many of the same things, but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.

      Ever hear of DD-WRT? Optware? And no, before you say it, a firmware update is not "hacking the device" by any stretch of the imagination. By your logic, my Asus router would be a computer, but my linksys router wouldn't be.

      Nonsense. Here's what Miriam Webster has to say on the issue:

      computer
      noun, often attributive \km-pyü-tr\
      Definition of COMPUTER
      : one that computes; specifically : a programmable usually electronic device that can store, retrieve, and process data

      Any router I've ever seen would fi

      • by dgatwood ( 11270 )

        And no, before you say it, a firmware update is not "hacking the device" by any stretch of the imagination.

        Yes, it is. The manufacturer didn't design those routers with the intent that people would run their own applications on them. Sure, they might have been kind to homebrew hackers and added a little more RAM and flash than their firmware required in certain models, but clearly the assumption for these devices is that the firmware upgrade mechanism will be used for running prepackaged, manufacturer-pr

    • all routers can run arbitrary code. look up ddwrt
  • Especially routing information. They store the results of ARP requests too. And they process information to decide how to forward packets. Apparently the judge wasn't too clear on how routers work.

    • AFAICT, the law requires that a computer be accessed without authorization AND that "personal data" (I cannot find what their legal definition of this is exactly) must be exposed as a result.

      Unless said router also has NAS capabilities in use or the log files can be considered personal data, the law does not apply.

      • i would consider my "secret" that i used to secure the router personal information in teh same way my atm card pin is personal information
    • by Mitsoid ( 837831 )
      or the judge used a previous court ruling that determined routers do not store enough personal security information (SSN/Credit card numbers/etc.), are not used as a "Computer" (in the traditional sense), and are not designed to do so.. thus they are a "computerized device" and not a "Computer".. which pulls routers out of the "Computerized Intrusion" law -- perhaps this is covered in another law and the lawyer wanted to pin the hacker on the hardest offense he thought he could pull off
  • Although I'd not say that someone using such a hacked WiFi should not be punished, I find their reasoning more than questionable. I run a dual core 400 MHz P-II as a router (WLAN AP with 63 chars WEP2 key), so hacking mine would be criminal. I don't see why hacking a - properly secured - usual WLAN router box should be treated differently. I'd decide that based on the intention - if it was just for regular internet usage - OK then just give the offender a slap on his ass, but if it was to commit serious cr

    • I run a dual core 400 MHz P-II as a router ...

      Ouch.

      Not that I have anything against hardware reuse ... but seriously, if you shelled out some cash to upgrade to an Atom-based box, the reduction in electrical usage would probably be enough to recoup the cost within a year.

      • by Kosi ( 589267 )

        I know, I know. A cigar-case sized box with 3* Gbit LAN and 1* 54 Mbit (or better) WLAN capable of running IPCop or similar would cost me a little over 200 Euros. Have some more urgent problems right now, but it's on my list.

        But, then I have to fear the Dutch hackers, whom I'd rather not mess with. Fortunately I could sue them here in Germany, thanks to being in the EU. :)

  • A switch isn't necessarily a computer but a router definitely is. Back in the day all routers were physical PC. Now they are embedded systems. And they store all sorts of information, most importantly routing information!

    But a dunce cap on this guy and make him sit in the corner.

    • A switch isn't necessarily a computer but a router definitely is.

      The only difference between a router and a switch is the network layer they operate upon - switches operate on layer 2 traffic, routers operate on layer 3 traffic (or potentially layer 4 traffic if it is doing NAT and stateful firewalling). In fact, most modern managed switches have some level of layer 3 support (e.g. IGMP snooping).

      I'm not even clear that the article is talking about a router - it could very easily be talking about a wireless bridge, in which case it too is only operating on layer 2 traff

  • A router is a computer and it stores information. Many routers have access logs. For me breaking into an encrypted WLAN is like mechanically removing the lock from an ethernet port on private property and plugging youerself in. In the normal case you still can log what is currently going on (Wireless can not be switched, so you see all packets), and in the worst case see logs or manipulate the router without any trace.

    Should i move to the netherlands, i will use a VPN service to access the internet and a ca

    • The case revolves around legal definitions. In laymans terms a computer sits on your desk and you type/mouse stuff into it or watch Utube. To those of us with technicial backgrounds everything containing a cpu/gpu/mpu is a computer, but trying to explain that to a non techie will be rather difficult. Just as explaining the difference between hacker and cracker, this just isn't an easy road to travel. I think given the silly ideas politicians have that we want to avoid the whole problem and let sysadmins
  • so if you want to ensure prosecutability of intruders install dd-wrt and store some docs on there
  • Vincent: So what you want to know?
    Jules: Well, hacking routers is legal there, right?
    Vincent: Yeah, it's legal, but it ain't a hundred percent legal. I mean, you can't walk into a restaurant, roll out your netbook, and start wardrivin' away. They want you to hack routers in your home or certain designated places.
    Jules: Those are router bars?
    Vincent: Breaks down like this, okay: it's legal to hack a router, it's legal to own one, and if you're the proprietor of a router bar, it's legal to sell r
  • It might be good to note, that these actions can still be prosecuted under civil law. That is, the intruder can still be held accountable for costs incurred by his use of the network. Having said that, I personally still think this should be a criminal offense, as it is a clear breach of privacy. What I do on my local network should be my business alone. Right now, the defense is required to prove eavesdropping on the network itself, which is very hard to do.

  • I use a old Pentium 3 running Debian as a router. Ofcourse i didn't put a wireless card in it, since i don't need wireless connectivity, i doubt most people do, it's probably out of laziness that people use it instead of just pluggin in an ethernet cable... (unless your device doesn't have an ethernet port).

    By the way, you can turn off the wireless connectivity on most routers and you should, if you're not using it...

  • I'll dissent a bit and say that IMO this is a fairly good ruling.

    That's not to say it should be legal, but it should fall under a different law, something like "theft of services". Like whatever law applies to hooking up to somebody else's electricity or water supply.

    I don't think breaking into somebody else's computer, and using their internet connection without permission are equivalent. They're done for different reasons, though they may be connected, and the seriousness isn't the same.

  • I disagree strongly with their ruling. If I place a password on my router and use encryption, it is OBVIOUS it is a private network. Breaking into that network for ANY reason is, essentially, trespassing and SHOULD be a criminal offense. It doesn't matter the reason.

    Under their logic, I could place locks on my fences on my property, but someone would be allowed to go onto my property, pick the locks, and break into my backyard... but that is OK as long as they wear a blindfold?

    Just having a wireless netw

  • Note that the neighbour has given up the password of the (ADSL) router voluntarily because the internet connection of the suspect (probably cable) was sometimes unstable. So the message was just posted over a connection differently than the one he owned, probably to disguise his location. Nonetheless, it seems he just used the internet connection, albeit in a way that is not according to Dutch law. The neighbour has just been inconvenienced and will probably now think twice when somebody asks her to share h

  • The results of "breaking into" a router (whether it is wide open or not) is impersonation/identity theft and theft. If someone connects and then behaves themselves, then the results of the offense are nil. The issues become apparent when the intruder downloads GB of warez and you incur overage charges from your ISP and a visit from the police.

    As for breaking in itself, instead of a car analogy, let's use a bike analogy. I like near a large cottage community that has free painted community bicycles. It'

If you can't get your work done in the first 24 hours, work nights.

Working...