Home / Blogs

No Virginia, You Have No Duty to Secure Your WiFi Access Point

Robert Cannon

Every now and again a report flies across the network about the police breaking down someone's door and attempting to arrest the home owner for bad things online — assuming that whatever happened from that person's Internet connection is their fault. Now there are lots of problems with this — lots of problems. But one of the big ones is that anyone can access an open access point; there is no way of knowing who did what at an open access point or ascribing that activity to the owner. And all the police have to do is pull out the WiFi device they probably have in their pocket to determine whether an access point is open or secured.

Stories such as this generally results in a flurry of phobic posts by friends warning each other to lock down their access points. This is not necessarily the right solution. There are lots of legitimate reasons for having an open access points — and the technology was specifically designed to permit open access points. The right solution would be for the legal community to mature in its comprehension that what transpires on an open access point cannot be ascribed to anyone.

A federal court in California recently considered the question of whether the owner of an access point has a duty to secure it. In AF HOLDINGS, LLC v. Doe, NDCA 2012, plaintiff sued John Doe for illegally downloading plaintiff's copyright protected video, and sued Defendant Hatfield for Defendant's negligent failure to secure the access point.

Okay first year law students, what are the elements of negligence? Duty, breach, cause, and damage. Does Defendant have a duty to Plaintiff? 

Plaintiff is arguing that Defendant failed to act — failed to secure his network. A failure to act is called "non-feasance." To have a duty that is breached by inaction, says the court, requires Defendant to have a special relationship to Plaintiff. Or, to say it another way, you are not required to be a Good Samaritan — you are not required to act — unless there is a special relationship. The court states:

Plaintiff has not articulated any basis for imposing on Defendant a legal duty to prevent the infringement of Plaintiff's copyrighted works, and the court is aware of none. Defendant is not alleged to have any special relationship with Plaintiff that would give rise to a duty to protect Plaintiff's copyrights, and is also not alleged to have engaged in any misfeasance by which he created a risk of peril.

The allegations in the complaint are general assertions that in failing to take action to "secure" access to his Internet connection, Defendant failed to protect Plaintiffs from harm. Thus, the complaint plainly alleges that Defendant's supposed liability is based on his failure to take particular actions, and not on the taking of any affirmative actions. This allegation of non-feasance cannot support a claim of negligence in the absence of facts showing the existence of a special relationship.

It ain't Defendant's job (or anyone else for that matter) to protect Plaintiff's copyrights.

The court further notes that Plaintiff has attempted to re-characterize a copyright claim as a negligence claim. Such attempts to re-characterize copyright claims are preempted by the copyright act. Either someone is liable under the copyright act or not; re-characterizing such a claim as negligence doesn't work.

Finally, Defendant argues that he is immune from liability pursuant to 47 USC 230, the Good Samaritan Provision of the Communications Decency Act, which states that no provider of an interactive computer service shall be liable for the actions of a third party. In this case, Defendant arguably was a provider of Internet service to John Doe — the alleged downloader — and is not liable for whatever John Doe might have done. The court appeared persuaded by this argument, but concluded that since there was no negligence cause of action, and since the negligence cause of action was preempted, it was unnecessary to rule on the question of Sec. 230 immunity.

In short, according to this court:

  • No duty to secure a WiFi access point;
  • Any claim of breach of such duty resulting in copyright infringement would be preempted by copyright law; and
  • Any attempt to impose liability on the WiFi access point owner would likely be defeated by Sec. 230 immunity.

Of course, there are good reasons to secure your WiFi access point. For one thing, it encrypts your communications from your computer to your WiFi access point, protecting against main-in-the-middle attacks or someone intercepting your communications. The Federal Trade Commission's Onguard Online project provides some helpful advice.

By Robert Cannon, Cybertelecom. More blog posts from Robert Cannon can also be read here.

Related topics: Access Providers, Cybercrime, Law, Policy & Regulation, Security, Wireless

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Neustar to Launch usTLD Stakeholder Council

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

DotConnectAfrica Attends Transform Africa 2013 Summit in Rwanda

Motivated to Solve Problems at Verisign

Sponsored Topics