Home / Blogs

No Virginia, You Have No Duty to Secure Your WiFi Access Point

By Robert Cannon Cybertelecom

Every now and again a report flies across the network about the police breaking down someone’s door and attempting to arrest the home owner for bad things online—assuming that whatever happened from that person’s Internet connection is their fault. Now there are lots of problems with this—lots of problems. But one of the big ones is that anyone can access an open access point; there is no way of knowing who did what at an open access point or ascribing that activity to the owner. And all the police have to do is pull out the WiFi device they probably have in their pocket to determine whether an access point is open or secured.

Stories such as this generally results in a flurry of phobic posts by friends warning each other to lock down their access points. This is not necessarily the right solution. There are lots of legitimate reasons for having an open access points—and the technology was specifically designed to permit open access points. The right solution would be for the legal community to mature in its comprehension that what transpires on an open access point cannot be ascribed to anyone.

A federal court in California recently considered the question of whether the owner of an access point has a duty to secure it. In AF HOLDINGS, LLC v. Doe, NDCA 2012, plaintiff sued John Doe for illegally downloading plaintiff’s copyright protected video, and sued Defendant Hatfield for Defendant’s negligent failure to secure the access point.

Okay first year law students, what are the elements of negligence? Duty, breach, cause, and damage. Does Defendant have a duty to Plaintiff? 

Plaintiff is arguing that Defendant failed to act—failed to secure his network. A failure to act is called “non-feasance.” To have a duty that is breached by inaction, says the court, requires Defendant to have a special relationship to Plaintiff. Or, to say it another way, you are not required to be a Good Samaritan—you are not required to act—unless there is a special relationship. The court states:

Plaintiff has not articulated any basis for imposing on Defendant a legal duty to prevent the infringement of Plaintiff’s copyrighted works, and the court is aware of none. Defendant is not alleged to have any special relationship with Plaintiff that would give rise to a duty to protect Plaintiff’s copyrights, and is also not alleged to have engaged in any misfeasance by which he created a risk of peril.

The allegations in the complaint are general assertions that in failing to take action to “secure” access to his Internet connection, Defendant failed to protect Plaintiffs from harm. Thus, the complaint plainly alleges that Defendant’s supposed liability is based on his failure to take particular actions, and not on the taking of any affirmative actions. This allegation of non-feasance cannot support a claim of negligence in the absence of facts showing the existence of a special relationship.

It ain’t Defendant’s job (or anyone else for that matter) to protect Plaintiff’s copyrights.

The court further notes that Plaintiff has attempted to re-characterize a copyright claim as a negligence claim. Such attempts to re-characterize copyright claims are preempted by the copyright act. Either someone is liable under the copyright act or not; re-characterizing such a claim as negligence doesn’t work.

Finally, Defendant argues that he is immune from liability pursuant to 47 USC 230, the Good Samaritan Provision of the Communications Decency Act, which states that no provider of an interactive computer service shall be liable for the actions of a third party. In this case, Defendant arguably was a provider of Internet service to John Doe—the alleged downloader—and is not liable for whatever John Doe might have done. The court appeared persuaded by this argument, but concluded that since there was no negligence cause of action, and since the negligence cause of action was preempted, it was unnecessary to rule on the question of Sec. 230 immunity.

In short, according to this court:

  • No duty to secure a WiFi access point;
  • Any claim of breach of such duty resulting in copyright infringement would be preempted by copyright law; and
  • Any attempt to impose liability on the WiFi access point owner would likely be defeated by Sec. 230 immunity.

Of course, there are good reasons to secure your WiFi access point. For one thing, it encrypts your communications from your computer to your WiFi access point, protecting against main-in-the-middle attacks or someone intercepting your communications. The Federal Trade Commission’s Onguard Online project provides some helpful advice.

By Robert Cannon, Cybertelecom

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

View All Topics