Legality of piggybacking
Laws regarding "unauthorized access of a computer network" exist in many legal codes, though the wording and meaning differ from one to the next. However, the interpretation of terms like "access" and "authorization" is not clear, and there is no general agreement on whether piggybacking falls under this classification. Some jurisdictions prohibit it, some permit it, and others are not well-defined.
For example, a common but untested argument is that the 802.11 and DHCP protocols operate on behalf of the owner, implicitly requesting permission to access the network, which the wireless router then authorizes.
In addition to laws against unauthorized access on the user side, there are the issues of breach of contract with the Internet service provider on the network owner's side. Many terms of service prohibit bandwidth sharing with others, though others allow it. The Electronic Frontier Foundation maintains a list of ISPs that allow sharing of the Wi-Fi signal.
Australia
Under Australian Law, "unauthorized access, modification or impairment" of data held in a computer system is a federal offence under the Criminal Code Act 1995. The act refers specifically to data as opposed to network resources.Canada
In Canadian law, unauthorized access is addressed the Criminal Code, s 342.1, which provides that: "Every one who, fraudulently and without colour of right" obtains "computer services" from an access point is subject to criminal charges.Section 326 of the Criminal Code may also be used to address unauthorized access of a computer network: ' Every one commits theft who fraudulently, maliciously, or without colour of right', ' uses any telecommunication facility or obtains any telecommunication service.'
In Morrisburg, Ontario in 2006, a man was arrested under section 326 of the Criminal Code. Ultimately the arrest was poorly reported, there does not seem to be any information available with regards to conviction.
European Union
In September 2016, the European Court of Justice decided in "McFadden" C-484/14 that "a businessman providing a public wifi network is not responsible for copyright infringement incurred by users. But he can be ordered to protect the network with a password, to prevent copyright infringement". The Electronic Frontier Foundation had lobbied for not requiring passwords.Germany
Hong Kong
Under HK Laws. Chapter 200 Crimes Ordinance Section 161 Access to computer with criminal or dishonest intent:Italy
Unauthorized access to a protected system is illegal.Japan
On April 28, 2017 the Tokyo District Court ruled that accessing a wireless LAN network without authorization is not a crime, even if the network is protected with a password. In a case brought before the court involved a man named Hiroshi Fujita, who was accused of accessing a neighbors wi-fi network without authorization and sending virus-infected emails, and then using that to steal internet banking information and send funds to his own bank account without authorization. Hiroshi was found guilty of most of what he was accused of and sentenced to 8 years in prison. Regarding the unauthorized access of wireless networks, prosecutors argued that wi-fi passwords fall under the category of "secrets of wireless transmission" and that therefore obtaining and using passwords without permission of the network operator would fall under the category of unauthorized use of wireless transmission secrets, which is prohibited by law. However, the court ruled that the defendant is not guilty, stating in their ruling that wi-fi passwords do not fall under that category and therefore the unauthorized obtainment of passwords and subsequent accessing of protected wireless networks is not a crime.Russia
Although Russian criminal law does not explicitly forbid access to another person's network, there is a common judicial practice to qualify these cases as an "unathorized access to an information" according to Article 272 of the Criminal Code. To construct the accusation, one considers ISP's billing data the information which has been accessed.In addition, if the defendant have used any program to access the network, he may also be charged by Article 273.
Singapore
Piggybacking another person's unsecured wireless network is illegal in Singapore under section 6 of the Computer Misuse and Cybersecurity Act. The offender is liable to a fine of $10,000, imprisonment for up to 3 years, or both.In November 2006, the 17-year-old Garyl Tan Jia Luo, was arrested for tapping into his neighbour's wireless Internet connection. On 19 December, Tan pleaded guilty to the charge, and on 16 January 2007 he became the first person in Singapore to be convicted of the offense. He was sentenced by the Community Court to 18 months' probation, half of which was to be served at a boys' home. For the remaining nine months, he had to stay indoors from 10:00 pm to 6:00 am. He was also sentenced to 80 hours of community service and banned from using the Internet for 18 months; his parents risked forfeiting a S$5,000 bond if he failed to abide by the ban. Tan was also given the option of enlisting early for National Service. If he did so, he would not have to serve whatever remained of his sentence.
On 4 January 2007, Lin Zhenghuang was charged for using his neighbour's unsecured wireless network to post a bomb hoax online. In July 2005, Lin had posted a message entitled "Breaking News – Toa Payoh Hit by Bomb Attacks" on a forum managed by HardwareZone. Alarmed by the message, a user reported it to the authorities through the Government of Singapore's eCitizen website. Lin faced an additional 60 charges for having used his notebook computer to repeatedly access the wireless networks of nine people in his neighborhood. Lin pleaded guilty to one charge under the Telecommunications Act and another nine under the Computer Misuse Act on 31 January. He apologised for his actions, claiming he had acted out of "stupidness" and not due to any "malicious or evil intent". On 7 February he was sentenced by District Judge Francis Tseng to three months' jail and a S$4,000 fine. The judge also set sentencing guidelines for future 'mooching' cases, stating that offenders would be liable to fines and not to imprisonment unless offences were "committed in order to facilitate the commission of or to avoid detection for some more serious offence", as it was in Lin's case.
United Kingdom
The Computer Misuse Act 1990, section 1 reads:In London, 2005, Gregory Straszkiewicz was the first person to be convicted of a related crime, "dishonestly obtaining an electronics communication service". Local residents complained that he was repeatedly trying to gain access to residential networks with a laptop from a car. There was no evidence that he had any other criminal intent. He was fined £500 and given a 12-month conditional discharge.
In early 2006, two other individuals were arrested and received an official caution for "dishonestly obtaining electronic communications services with intent to avoid payment."
United States
There are federal and state laws addressing the issue of unauthorized access to wireless networks. The laws vary widely between states. Some criminalize the mere unauthorized access of a network, while others require monetary damages for intentional breaching of security features. The majority of state laws do not specify what is meant by "unauthorized access". Regardless, enforcement is minimal in most states even where it is illegal, and detection is difficult in many cases.Some portable devices, such as the Apple iPad and iPod touch, allow casual use of open Wi-Fi networks as a basic feature, and often identify the presence of specific access points within the vicinity for user geolocation.
Arrests
In St. Petersburg, 2005, Benjamin Smith III was arrested and charged with "unauthorized access to a computer network", a third-degree felony in the state of Florida, after using a resident's wireless network from a car parked outside.An Illinois man was arrested in January 2006 for piggybacking on a Wi-Fi network. David M. Kauchak was the first person to be charged with "remotely accessing another computer system" in Winnebago County. He had been accessing the Internet through a nonprofit agency's network from a car parked nearby and chatted with the police officer about it. He pleaded guilty and was sentenced to a fine of $250 and one year of court supervision.
In Sparta, Michigan, 2007, Sam Peterson was arrested for checking his email each day using a café's wireless Internet access from a car parked nearby. A police officer became suspicious, stating, "I had a feeling a law was being broken, but I didn't know exactly what". When asked, the man explained to the officer what he was doing, as he did not know the act was illegal. The officer found a law against "unauthorized use of computer access", leading to an arrest and charges that could result in a five-year felony and $10,000 fine. The café owner was not aware of the law, either. "I didn't know it was really illegal, either. If he would have come in it would have been fine." They did not press charges, but he was eventually sentenced to a $400 fine and 40 hours of community service. This case was featured on The Colbert Report.
In 2007, in Palmer, Alaska, 21-year-old Brian Tanner was charged with "theft of services" and had his laptop confiscated after accessing a gaming website at night from the parking lot outside the Palmer Public Library, as he was allowed to do during the day. The night before, the police had asked him to leave the parking lot, which he had started using because they had asked him not to use residential connections in the past. He was not ultimately charged with theft, but could still be charged with trespassing or not obeying a police order. The library director said that Tanner had not broken any rules, and local citizens criticized police for their actions.
Legislation
In 2003, the New Hampshire House Bill 495 was proposed, which would clarify that the duty to secure the wireless network lies with the network owner, instead of criminalizing the automatic access of open networks. It was passed by the New Hampshire House in March 2003 but was not signed into law. The current wording of the law provides some affirmative defenses for use of a network that is not explicitly authorized:There are additional provisions in the NH law, Section 638:17 Computer Related Offenses, as found by searching NH RSA's in December 2009. They cover actual use of someone else's computer rather than simply "access":
New York law is the most permissive. The statute against unauthorized access only applies when the network "is equipped or programmed with any device or coding system, a function of which is to prevent the unauthorized use of said computer or computer system". In other words, the use of a network would only be considered unauthorized and illegal if the network owner had enabled encryption or password protection and the user bypassed this protection, or when the owner has explicitly given notice that use of the network is prohibited, either orally or in writing. Westchester County passed a law, taking effect in October 2006, that requires any commercial business that stores, utilizes or otherwise maintains personal information electronically to take some minimum security measures in an effort to fight identity theft. Businesses that do not secure their networks in this way face a $500 fine. The law has been criticized as being ineffectual against actual identity thieves and punishing businesses like coffee houses for normal business practices.