Home / Blogs

No Virginia, You Have No Duty to Secure Your WiFi Access Point

Robert Cannon

Every now and again a report flies across the network about the police breaking down someone's door and attempting to arrest the home owner for bad things online — assuming that whatever happened from that person's Internet connection is their fault. Now there are lots of problems with this — lots of problems. But one of the big ones is that anyone can access an open access point; there is no way of knowing who did what at an open access point or ascribing that activity to the owner. And all the police have to do is pull out the WiFi device they probably have in their pocket to determine whether an access point is open or secured.

Stories such as this generally results in a flurry of phobic posts by friends warning each other to lock down their access points. This is not necessarily the right solution. There are lots of legitimate reasons for having an open access points — and the technology was specifically designed to permit open access points. The right solution would be for the legal community to mature in its comprehension that what transpires on an open access point cannot be ascribed to anyone.

A federal court in California recently considered the question of whether the owner of an access point has a duty to secure it. In AF HOLDINGS, LLC v. Doe, NDCA 2012, plaintiff sued John Doe for illegally downloading plaintiff's copyright protected video, and sued Defendant Hatfield for Defendant's negligent failure to secure the access point.

Okay first year law students, what are the elements of negligence? Duty, breach, cause, and damage. Does Defendant have a duty to Plaintiff? 

Plaintiff is arguing that Defendant failed to act — failed to secure his network. A failure to act is called "non-feasance." To have a duty that is breached by inaction, says the court, requires Defendant to have a special relationship to Plaintiff. Or, to say it another way, you are not required to be a Good Samaritan — you are not required to act — unless there is a special relationship. The court states:

Plaintiff has not articulated any basis for imposing on Defendant a legal duty to prevent the infringement of Plaintiff's copyrighted works, and the court is aware of none. Defendant is not alleged to have any special relationship with Plaintiff that would give rise to a duty to protect Plaintiff's copyrights, and is also not alleged to have engaged in any misfeasance by which he created a risk of peril.

The allegations in the complaint are general assertions that in failing to take action to "secure" access to his Internet connection, Defendant failed to protect Plaintiffs from harm. Thus, the complaint plainly alleges that Defendant's supposed liability is based on his failure to take particular actions, and not on the taking of any affirmative actions. This allegation of non-feasance cannot support a claim of negligence in the absence of facts showing the existence of a special relationship.

It ain't Defendant's job (or anyone else for that matter) to protect Plaintiff's copyrights.

The court further notes that Plaintiff has attempted to re-characterize a copyright claim as a negligence claim. Such attempts to re-characterize copyright claims are preempted by the copyright act. Either someone is liable under the copyright act or not; re-characterizing such a claim as negligence doesn't work.

Finally, Defendant argues that he is immune from liability pursuant to 47 USC 230, the Good Samaritan Provision of the Communications Decency Act, which states that no provider of an interactive computer service shall be liable for the actions of a third party. In this case, Defendant arguably was a provider of Internet service to John Doe — the alleged downloader — and is not liable for whatever John Doe might have done. The court appeared persuaded by this argument, but concluded that since there was no negligence cause of action, and since the negligence cause of action was preempted, it was unnecessary to rule on the question of Sec. 230 immunity.

In short, according to this court:

  • No duty to secure a WiFi access point;
  • Any claim of breach of such duty resulting in copyright infringement would be preempted by copyright law; and
  • Any attempt to impose liability on the WiFi access point owner would likely be defeated by Sec. 230 immunity.

Of course, there are good reasons to secure your WiFi access point. For one thing, it encrypts your communications from your computer to your WiFi access point, protecting against main-in-the-middle attacks or someone intercepting your communications. The Federal Trade Commission's Onguard Online project provides some helpful advice.

By Robert Cannon, Cybertelecom. More blog posts from Robert Cannon can also be read here.

Related topics: Access Providers, Cybercrime, Law, Policy & Regulation, Security, Wireless

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

2015 Trends: Multi-channel, Streaming Media and the Growth of Fraud

Dyn Weighs In On Whois

Data Volumes and Network Stress to Be Top IoT Concerns

DKIM for ESPs: The Struggle of Living Up to the Ideal

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Sponsored Topics

Verisign

Security

Sponsored by
Verisign
Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Port25

Email

Sponsored by
Port25
Afilias

DNS Security

Sponsored by
Afilias