Ignorance of the law...?
July 2, 2008 10:17 AM Subscribe
If I run an open wireless access point using DHCP, is there a way for anyone to identify which PC or device in the IP range is receiving or sending traffic? If I run a shared connection and someone does something unlawful, is it my problem or theirs?
I'm using the latest Airport Extreme with 802.11n. I don't run any filtering software or anything like that. I just received a letter from my provider (Cox) saying that someone was sharing unauthorized content, but it wasn't me. I'm going to discuss this with the folks who share my connection, but my questions are:
1. Is it my liability if the **AA decides to sue?
2. Can they see who it actually was, like MAC address or computer name?
I understand the easiest solution moving forward is to close the access point, and running the connection open is probably in breach of Cox's TOS, but I'm more concerned about what happened already.
I'm using the latest Airport Extreme with 802.11n. I don't run any filtering software or anything like that. I just received a letter from my provider (Cox) saying that someone was sharing unauthorized content, but it wasn't me. I'm going to discuss this with the folks who share my connection, but my questions are:
1. Is it my liability if the **AA decides to sue?
2. Can they see who it actually was, like MAC address or computer name?
I understand the easiest solution moving forward is to close the access point, and running the connection open is probably in breach of Cox's TOS, but I'm more concerned about what happened already.
I think you shouldn't be thinking of "ultimate liability". Think about the following scenarios:
1. Neighbor uses your open wireless access point to upload/download child pornography. It is traced back to your IP address. Police knock at your door.
2. A "drive by" laptop user connects to your access point and sends a threatening message. Homeland Security comes knocking at your door.
3. Neighbor connects to P2P network and is tagged by the **AA. Your ISP gets a DMCA takedown notice and sends it to you. Alternately, the RIAA files a "John Doe" lawsuit, your ISP gives up your contact info, and you get served with a civil lawsuit.
In all three scenarios, you are probably "not guilty" or "not liable" -- but would likey have to incur costs to get to that final result. So even though it may ultimately be somebody else's problem, it is YOUR problem to clear your name and convince the law enforcement authorities (or civil litigants) that it's not you.
posted by QuantumMeruit at 10:35 AM on July 2, 2008
1. Neighbor uses your open wireless access point to upload/download child pornography. It is traced back to your IP address. Police knock at your door.
2. A "drive by" laptop user connects to your access point and sends a threatening message. Homeland Security comes knocking at your door.
3. Neighbor connects to P2P network and is tagged by the **AA. Your ISP gets a DMCA takedown notice and sends it to you. Alternately, the RIAA files a "John Doe" lawsuit, your ISP gives up your contact info, and you get served with a civil lawsuit.
In all three scenarios, you are probably "not guilty" or "not liable" -- but would likey have to incur costs to get to that final result. So even though it may ultimately be somebody else's problem, it is YOUR problem to clear your name and convince the law enforcement authorities (or civil litigants) that it's not you.
posted by QuantumMeruit at 10:35 AM on July 2, 2008
1. They seem to be having some trouble prosecuting cases where unsecured wifi is in the mix. They have continued prosecuting (and lost) in some cases, and in others they have dropped the case.
2. Generally speaking no they cannot see the MAC address or computer name from which it came (if using a router like you are) - they can only see the IP address. If they are sniffing your wireless traffic then yes they can determine which MAC address is being used, but most of the time the way they detect that you are sharing is via bittorrent connections. These bittorrent connections over the internet do not include your unique MAC address. Your unique MAC address is only used between your computer and your router.
posted by escher at 10:36 AM on July 2, 2008
2. Generally speaking no they cannot see the MAC address or computer name from which it came (if using a router like you are) - they can only see the IP address. If they are sniffing your wireless traffic then yes they can determine which MAC address is being used, but most of the time the way they detect that you are sharing is via bittorrent connections. These bittorrent connections over the internet do not include your unique MAC address. Your unique MAC address is only used between your computer and your router.
posted by escher at 10:36 AM on July 2, 2008
From the point of view of your ISP or anyone upstream, it all looks like traffic coming from your house. There isn't any real way for the ISP to identify which PC is sending the data if the PCs are behind a router.
Home routers like the Airport Extreme do something called IP masquerading, wherein all the computers behind it are using a single address to access content on the 'net. There are some techniques to attempt to count how many PCs are behind a single address, but there is no way to identify the machine responsible for a packet, period.
Regarding your personal liability, well, that's outside my area of expertise.
posted by knave at 10:37 AM on July 2, 2008
Home routers like the Airport Extreme do something called IP masquerading, wherein all the computers behind it are using a single address to access content on the 'net. There are some techniques to attempt to count how many PCs are behind a single address, but there is no way to identify the machine responsible for a packet, period.
Regarding your personal liability, well, that's outside my area of expertise.
posted by knave at 10:37 AM on July 2, 2008
Best answer: 1. Is it my liability if the **AA decides to sue?
Some would say it's a gray area of law. You didn't commit the violation, but it came from your connection. That said, if it did come to a lawsuit, the RIAA would totally go after you and all indications are that the 'burden of proof' would be on you, even though that's not how it's supposed to work. So the short answer is, "Yes, probably," it would be your liability. I'd liken it, possibly incorrectly, to someone driving your car and mowing down pedestrians.
2. Can they see who it actually was, like MAC address or computer name?
Not really. The MAC address is only visible on the LAN. All they can see is the external IP. If they were really good, there exist fingerprinting tools, though they'd really only be able to tell what OS it was coming from.
posted by fogster at 10:47 AM on July 2, 2008 [1 favorite]
Some would say it's a gray area of law. You didn't commit the violation, but it came from your connection. That said, if it did come to a lawsuit, the RIAA would totally go after you and all indications are that the 'burden of proof' would be on you, even though that's not how it's supposed to work. So the short answer is, "Yes, probably," it would be your liability. I'd liken it, possibly incorrectly, to someone driving your car and mowing down pedestrians.
2. Can they see who it actually was, like MAC address or computer name?
Not really. The MAC address is only visible on the LAN. All they can see is the external IP. If they were really good, there exist fingerprinting tools, though they'd really only be able to tell what OS it was coming from.
posted by fogster at 10:47 AM on July 2, 2008 [1 favorite]
It's also important to note that Cox has a three strikes rule about getting DMCA notices from the *AA. Get another two and you are SOL regarding a Cox account.
And, yea, they can't tell what computer did what from their end. MAC addresses are not broadcasted across networks and it looks like each computer has the same IP address on their end- hence why you could be on the hook.
posted by jmd82 at 10:54 AM on July 2, 2008
And, yea, they can't tell what computer did what from their end. MAC addresses are not broadcasted across networks and it looks like each computer has the same IP address on their end- hence why you could be on the hook.
posted by jmd82 at 10:54 AM on July 2, 2008
(I have my JD but IANAL) Third-party liability for copyright infringement is not an exceptionally easy area of law to navigate, and that's really what you're talking about here.
There are, in fact, circumstances in which you can be held legally responsible for the copyright infringement of others. There are other circumstances in which you can't. Whether this is the former or the latter, however, depends on a lot of variables and is best answered by your lawyer.
Don't fall into the trap of being secure with having the law on your side. If the RIAA decides they want to go after you, you will be the one required to mount a defense (or pay theextortion settlement demand) and it will not come at a small cost to you. If you win, there is an off chance that you will be able to recoup some of that money, but don't count on it.
Unless you've got a lot of money sitting around and are really interested in pushing this on principle, lock down the access point or, at the very least, start logging which computers are connected when. If you go with the latter, be prepared to rat out whoever it is doing the sharing if the RIAA comes calling.
posted by toomuchpete at 10:57 AM on July 2, 2008
There are, in fact, circumstances in which you can be held legally responsible for the copyright infringement of others. There are other circumstances in which you can't. Whether this is the former or the latter, however, depends on a lot of variables and is best answered by your lawyer.
Don't fall into the trap of being secure with having the law on your side. If the RIAA decides they want to go after you, you will be the one required to mount a defense (or pay the
Unless you've got a lot of money sitting around and are really interested in pushing this on principle, lock down the access point or, at the very least, start logging which computers are connected when. If you go with the latter, be prepared to rat out whoever it is doing the sharing if the RIAA comes calling.
posted by toomuchpete at 10:57 AM on July 2, 2008
Bruce Schneier outlines the risks and rewards
Remember that there are benefits to sharing an open access point, mostly karmic. You appreciate finding one when you need access, other people may appreciate using yours in a pinch.
As others have said, it's very difficult for the **AA to prove that you're the one downloading when you run an open access point. Yes, you'll have to fight them in court if you do get sued, but I think the more relevant point is that the odds of getting sued are very slim to begin with.
posted by chrisamiller at 11:11 AM on July 2, 2008
Remember that there are benefits to sharing an open access point, mostly karmic. You appreciate finding one when you need access, other people may appreciate using yours in a pinch.
As others have said, it's very difficult for the **AA to prove that you're the one downloading when you run an open access point. Yes, you'll have to fight them in court if you do get sued, but I think the more relevant point is that the odds of getting sued are very slim to begin with.
posted by chrisamiller at 11:11 AM on July 2, 2008
I should add that this assumes that all of your computers are adequately secured, that you don't have open network shares, that your OS has its security holes patched, etc. You should be doing that anyway, though.
(you are doing that anyway, RIGHT?)
posted by chrisamiller at 11:21 AM on July 2, 2008
(you are doing that anyway, RIGHT?)
posted by chrisamiller at 11:21 AM on July 2, 2008
How does fonera fit into this mix? Aren't they essentially an open wireless router?
posted by vilcxjo_BLANKA at 11:49 AM on July 2, 2008
posted by vilcxjo_BLANKA at 11:49 AM on July 2, 2008
Your best way would be to run zonecd or something similiar. :)
posted by majortom1981 at 12:10 PM on July 2, 2008
posted by majortom1981 at 12:10 PM on July 2, 2008
MAC addresses are not an effective means of tracking, unless you're watching your own LAN. Even then, it's not fool-proof. (Don't let anyone tell you MAC addresses are unique; they're not; the probability is just exceedingly low that in a home environment you'd have 2 devices with the same MAC address.)
Also, I second the comments stating that you should secure your wifi! It's your connection, and you are responsible for it. I'll spare you any annoying car analogies, but in the end, your IP address is associated with the traffic.
Like I used to tell consumers when I did tech support; "if I was doing something highly illegal on the Internet, would I do it from my home, or a connection I could borrow from down the street, associated with someone who is not me?"
Throw a WPA password on there and you're set. My typical choice is something like @55555555 (replace the 5s with a phone number; current or old, depending on your level of paranoia.)
posted by Dark Messiah at 2:29 PM on July 2, 2008
Also, I second the comments stating that you should secure your wifi! It's your connection, and you are responsible for it. I'll spare you any annoying car analogies, but in the end, your IP address is associated with the traffic.
Like I used to tell consumers when I did tech support; "if I was doing something highly illegal on the Internet, would I do it from my home, or a connection I could borrow from down the street, associated with someone who is not me?"
Throw a WPA password on there and you're set. My typical choice is something like @55555555 (replace the 5s with a phone number; current or old, depending on your level of paranoia.)
posted by Dark Messiah at 2:29 PM on July 2, 2008
Just to be clear, MAC addresses as assigned at the factory are supposed to be unique. Basically, unless the company that produced the device screws up, it is unique.
However, on almost every modern networking device, the MAC address can be changed in software with incredible ease.
Others have already answered your question about your liability. Just FWIW, if you got a letter from Cox, it's very unlikely the offended party will go any farther. I'd have a serious talk with the folks who are using your AP (that you know of!) and make sure they know that using BitTorrent to download illicit material (especially new/popular things) is just stupid.
There are other ways to go about such things that come at little to no risk to you.
posted by wierdo at 3:27 PM on July 2, 2008
However, on almost every modern networking device, the MAC address can be changed in software with incredible ease.
Others have already answered your question about your liability. Just FWIW, if you got a letter from Cox, it's very unlikely the offended party will go any farther. I'd have a serious talk with the folks who are using your AP (that you know of!) and make sure they know that using BitTorrent to download illicit material (especially new/popular things) is just stupid.
There are other ways to go about such things that come at little to no risk to you.
posted by wierdo at 3:27 PM on July 2, 2008
Fogster has it with the MAC addresses never propagating beyond your subnet. COX cannot see or log them (maybe if they provided the DSL router they could log ARP tables and access remotely, but they have no incentive to do so). I concur that you can incur court costs even in cases where you are not the responsible party.
posted by BrotherCaine at 3:37 PM on July 2, 2008
posted by BrotherCaine at 3:37 PM on July 2, 2008
Best answer: The person who is liable . . . is the guy who's account that DSL line is.
At best, this is an enormous assumption.
That said, if it did come to a lawsuit, the RIAA would totally go after you and all indications are that the 'burden of proof' would be on you, even though that's not how it's supposed to work.
What? The plaintiff alleging copyright infringement bears the burden of proof. See Jury instruction 10 from Capitol v. Thomas. The burden of paying lawyers and fighting the suit is on the defendant.
In all three scenarios, you are probably "not guilty" or "not liable" -- but would likey have to incur costs to get to that final result.
Completely right.
posted by averyoldworld at 7:38 AM on July 3, 2008
At best, this is an enormous assumption.
That said, if it did come to a lawsuit, the RIAA would totally go after you and all indications are that the 'burden of proof' would be on you, even though that's not how it's supposed to work.
What? The plaintiff alleging copyright infringement bears the burden of proof. See Jury instruction 10 from Capitol v. Thomas. The burden of paying lawyers and fighting the suit is on the defendant.
In all three scenarios, you are probably "not guilty" or "not liable" -- but would likey have to incur costs to get to that final result.
Completely right.
posted by averyoldworld at 7:38 AM on July 3, 2008
"The plaintiff alleging copyright infringement bears the burden of proof."
I guess I worded that in an unclear fashion. My point wasn't so much that the court would literally reverse the burden of proof, but merely that the past cases I've seen have essentially required the defendant to prove that it was not them. If you put me on trial for murder, you're going to have to bring in some evidence that it was actually me, other than, "A witness observed someone looking like Mr. Fogster near the victim the day he was killed." You're right—the burden of proof technically remains on the **AA in their suits, but it won't feel that it's working that way if you get dragged to court over it.
posted by fogster at 12:53 PM on July 3, 2008
I guess I worded that in an unclear fashion. My point wasn't so much that the court would literally reverse the burden of proof, but merely that the past cases I've seen have essentially required the defendant to prove that it was not them. If you put me on trial for murder, you're going to have to bring in some evidence that it was actually me, other than, "A witness observed someone looking like Mr. Fogster near the victim the day he was killed." You're right—the burden of proof technically remains on the **AA in their suits, but it won't feel that it's working that way if you get dragged to court over it.
posted by fogster at 12:53 PM on July 3, 2008
This thread is closed to new comments.
Sure, sniffing the packets will reveal the mac addresses of all computers using it.
If I run a shared connection and someone does something unlawful, is it my problem or theirs?
Its YOUR problem. Lock it down asap.
Can they see who it actually was, like MAC address or computer name?
They cant without logs but it doesnt matter. The person who is liable and gets sued is the guy who's account that DSL line is. At this point the MAC addresses and logs are items for your lawyer to help you, but certainly not a clean way to get out of trouble.
posted by damn dirty ape at 10:26 AM on July 2, 2008