Piggybacking (Internet access)
Piggybacking on Internet access is the practice of establishing a wireless Internet connection by using another subscriber's wireless Internet access service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary by jurisdiction around the world. While completely outlawed or regulated in some places, it is permitted in others.
A customer of a business providing hotspot service, such as a hotel or café, is generally not considered to be piggybacking, though non-customers or those outside the premises who are simply in reach may be. Many such locations provide wireless Internet access as a free or paid-for courtesy to their patrons or simply to draw people to the area. Others near the premises may be able to gain access.
Piggybacking is distinct from wardriving, which involves only the logging or mapping of the existence of access points.
Piggybacking has become a widespread practice in the 21st century due to the advent of wireless Internet connections and Wireless access points. Computer users who either do not have their own connections or who are outside the range of their own might find someone else's by wardriving or luck and use that one.
However, those residing near a hotspot or another residence with the service have been found to have the ability to piggyback off such connections without patronizing these businesses, which has led to more controversy. While some may be in reach from their own home or nearby, others may be able to do so from the parking lot of such an establishment, from another business that generally tolerates the user's presence, or from the public domain. Others, especially those living in apartments or town houses, may find themselves able to use a neighbour's connection.
Long range antennas can be hooked up to laptop computers with an external antenna jack - these allow a user to pick up a signal from as far as several kilometers away. Since unsecured wireless signals can be found readily in most urban areas, laptop owners may find free or open connections almost anywhere. While 2.4 and 5.8 GHz antennas are commercially available and easily purchased from many online vendors, they are also relatively easy to make. Laptops and tablets that lack external antenna jacks can rely on external Wi-Fi modems with radios - many requiring only USB or Power over Ethernet (PoE) power connections which the laptop can itself easily provide from its own battery.
Reasons for piggybacking
There are many reasons why Internet users desire to piggyback on other's networks.
For some, the cost of Internet service is a factor. Many computer owners who cannot afford a monthly subscription to an Internet service, who only use it occasionally, or who otherwise wish to save money and avoid paying, will routinely piggyback from a neighbour or a nearby business, or visit a location providing this service without being a paying customer. If the business is large and frequented by many people, this may go largely unnoticed. Yet other piggybackers are regular subscribers to their own service, but are away from home when they wish to gain Internet access and do not have their own connection available at all or at an agreeable cost.
Often, a user will access a network completely by accident, as the network access points and computer's wireless cards and software are designed to connect easily by default. This is common when away from home or when the user's own network is not behaving correctly. Such users are often unaware that they are piggybacking, and the subscriber has not noticed. Regardless, piggybacking is difficult to detect unless the user can be viewed by others using a computer under suspicious circumstances.
Network owners leave their networks unsecured for a variety of reasons. They may desire to share their Internet access with their neighbours or the general public or may be intimidated by the knowledge and effort required to secure their network while making it available to their own laptops. Some wireless networking devices may not support the latest security mechanisms, and users must therefore leave their network unsecured. For example the Nintendo DS and Nintendo DS Lite can only access wireless routers using the discredited WEP standard, however, the Nintendo DSi and Nintendo 3DS both support WPA encryption. Given the rarity of such cases where hosts have been held liable for the activities of piggybackers, they may be unaware or unconcerned about the risks they incur by not securing their network, or of a need for an option to protect their network.
Some jurisdictions have laws requiring residential subscribers to secure their networks (e.g., "négligence caractérisée" in HADOPI). Even where not required by law, landlords might request that tenants secure their networks as a condition of their lease.
Views on the ethics of piggybacking vary widely. Many support the practice, stating it is harmless, and that it benefits the piggybacker at no expense to others, while others criticize it with terms like "leeching", "mooching", or "freeloading". A variety of analogies are made in public discussions to relate the practice to more familiar situations. Advocates compare the practice to:
- Sitting behind another passenger on a train, and reading their newspaper over their shoulder.
- Enjoying the music a neighbour is playing in their backyard.
- Using a drinking fountain.
- Sitting in a chair put in a public place.
- Reading from the light of a porch light or streetlamp.
- Accepting an invitation to a party, since unprotected wireless routers can be interpreted as being open to use.
- Borrowing a cup of sugar
Opponents to piggybacking compare the practice to:
- Entering a home just because the door is unlocked
- Hanging on the outside of a bus to obtain a free ride.
- Connecting one's own wire to a neighbour's house to obtain free cable TV service when the neighbour is a subscriber.
The piggybacker is using the connection paid for by another without sharing the cost. This is especially commonplace in an apartment building where many residents live within the normal range of a single wireless connection. Some residents are able to gain free Internet access while others pay. Many ISPs charge monthly rates, however, so there is no difference in cost to the network owner. Excessive piggybacking may slow the host's connection, with the host typically unaware of the reason for the reduction of speed. This is more of a problem where a large number of persons are engaging in this practice, such as in an apartment or near a business.
Piggybackers may engage in illegal activity such as identity theft or child pornography without much of a trail to their own identity, leaving network owners subject to investigation for crimes of which they are unaware. While persons engaging in piggybacking are generally honest citizens, a smaller number are breaking the law in this manner, avoiding identification by investigators. This in particular has led to some anti-piggybacking laws.
Some access points, when using factory default settings, are configured to provide wireless access to all who request it. Some commentators argue that those who set up access points without enabling security measures are offering their connection to the community. Many people intentionally leave their networks open to allow neighbours casual access, with some joining wireless community networks to share bandwidth freely. It has largely become good etiquette to leave access points open for others to use, just as someone expects to find open access points while on the road.
Jeffrey L. Seglin, ethicist for the New York Times, recommends notifying network owners if they are identifiable, but says there is nothing inherently wrong with accessing an open network and using the connection. "The responsibility for deciding whether others should be able to tap into a given access belongs squarely on the shoulders of those setting up the original connection."
Similarly, Randy Cohen, author of The Ethicist column for The New York Times Magazine and National Public Radio, says that one should attempt to contact the owner of a regularly used network, and offer to contribute to the cost. But he points out that network owners can easily password protect their networks, and quotes attorney Mike Godwin, concluding that open networks likely represent indifference on the part of the network owner, and accessing them is morally acceptable, if not abused.
Policy analyst Timothy B. Lee writes in the International Herald Tribune that the ubiquity of open wireless points is something to celebrate. He says that borrowing a neighbour's Wi-Fi is like sharing a cup of sugar, and leaving a network open is just being a good neighbour.
Techdirt article contributor Mike Masnick responded recently to an article in Time Magazine, expressing his disagreement with why a man was arrested for piggybacking a cafe's wireless medium. The man was charged with breaking Title 18, Part 1, Chapter 47 of the United States Code, which states and includes anyone who: "intentionally accesses a computer without authorization or exceeds authorized access." The "Time's" writer himself is not sure what that title really means or how it applies to contemporary society, being that the code was established regarding computers and their networks during the Cold War era.
In the technical legality of the matter, Techdirt writer Mike Masnick believes the code was not broken because the access point owner did not secure their device specifically for authorized users, therefore the device was implicitly placed into a status of "authorized". Lev Grossman, with Time Magazine, is on the side of most specialist and consumers, who believe the fault, if there is any, is mostly with the network's host or owner
An analogy commonly used in this arena of debate equates wireless signal piggybacking with entering a house with an open door. Both are supposed to be equatable but the analogy is tricky, as it does not take into account unique differences regarding the two items in reference, ultimately leaving the analogy flawed.
The key to the flaw in the analogy is that with an unprotected access point the default status is for all users to be authorized. An access point is an active device which initiates the announcement of its services and if setup securely allows or denies authorization by its visitors.
A house door on the other hand has physical attributes that distinguish access to the house as authorized or unauthorized by its owner. Even with an open house door, it is plain to know if you have been invited to that house by its owner and if entrance will be authorized or denied. A house owner's door is passive but has an owner who knows the risks of leaving their door open and house unprotected in the absence of their gate keeping presence. Equally, wireless access point owners should be aware that security risks exist when they leave their network unprotected. In this scenario, the owner has made a decision, which is to allow their gatekeeper or access point to authorize all who attempt to connect because the gatekeeper was not told who to not let in.
Laws do not have the physical ability to prevent such action from occurring, and piggybacking may be practiced with negligible detection.
The owner of any wireless connection has the ability to block access from outsiders by engaging wireless LAN security measures. Not all owners do so, and some security measures are more effective than others. As with physical security, choice is a matter of trade-offs involving the value of what is being protected, the probability of its being taken, and the cost of protection. An operator merely concerned with the possibility of ignorant strangers leeching Internet access may be less willing to pay a high cost in money and convenience than one who is protecting valuable secrets from experienced and studious thieves. More security-conscious network operators may choose from a variety of security measures to limit access to their wireless network, including:
- Hobbyists, computer professionals and others can apply Wired Equivalent Privacy (WEP) to many access points without cumbersome setup, but it offers little in the way of practical security against similarly studious piggybackers. It is cryptographically very weak, so an access key can easily be cracked. Its use is often discouraged in favor of other more robust security measures, but many users feel that any security is better than none or are unaware of any other. In practice, this may simply mean that nearby non-WEP networks are more accessible targets. WEP is sometimes known to slow down network traffic in the sense that the WEP implementation causes extra packets to be transmitted across the network. Some claim that "Wired Equivalent Privacy" is a misnomer, but it generally fits because wired networks are not particularly secure either.
- Wi-Fi Protected Access (WPA), as well as WPA2 and EAP are more secure than WEP. As of May 2013, 44.3 percent of all wireless networks surveyed by WiGLE use WPA or WPA2.
- MAC address authentication in combination with discretionary DHCP server settings allow a user to set up an "allowed MAC address" list. Under this type of security, the access point will only give an IP Address to computers whose MAC address is on the list. Thus, the network administrator would obtain the valid MAC addresses from each of the potential clients in their network. Disadvantages to this method include the additional setup. This method does not prevent eavesdropping traffic sent over the air (there is no encryption involved). Methods to defeat this type of security include MAC address spoofing, detailed on the MAC address page, whereby network traffic is observed, valid MACs are collected, and then used to obtain DHCP leases. It is also often possible to configure IP for a computer manually, ignoring DHCP, if sufficient information about the network is known (perhaps from observed network traffic).
- IP security (IPsec) can be used to encrypt traffic between network nodes, reducing or eliminating the amount of plain text information transmitted over the air. This security method addresses privacy concerns of wireless users, as it becomes much more difficult to observe their wireless activity. Difficulty of setting up IPsec is related to the brand of access point being used. Some access points may not offer IPsec at all, while others may require firmware updates before IPsec options are available. Methods to defeat this type of security are computationally intensive to the extent that they are infeasible using readily-available hardware, or they rely on social engineering to obtain information (keys, etc.) about the IPsec installation.
- VPN options such as tunnel-mode IPSec or OpenVPN can be difficult to set up, but often provide the most flexible, extendable security, and as such are recommended for larger networks with many users.
- Wireless intrusion detection systems can be used to detect the presence of rogue access points which expose a network to security breaches. Such systems are particularly of interest to large organizations with many employees.
- Flash a 3rd party firmware such as OpenWrt, Tomato or DD-WRT with support for RADIUS.
- Honeypot (computing) involves setting up a computer on a network just to see who comes along and does something on the open access point.
- Disabling SSID broadcasts. Although, it only hides networks superficially. MAC addresses of routers are still broadcast, and can be detected using special means.
There are several alternatives to the need to piggyback. Internet access is available (on many data plans or inclusive) on many smart phones and PDAs. Although there may be browsing limitations compared with Internet access on a desktop/laptop computer, it can be accessed anywhere there is an adequately strong data signal. Some mobile phone service providers offer mobile internet service via a data connection from a laptop to a mobile phone. Also known as tethering, one can interface to their phone both wirelessly (bluetooth/wifi) or via cable allowing computer Internet access anywhere there is a cell network signal. Some jurisdictions have been experimenting with statewide, province-wide, county-wide or municipal wireless network access. In the USA, Baltimore County, Maryland has recently announced a plan to provide free Wi-Fi access throughout the entire county. Currently, this service is being provided in the central business district of the county seat (Towson), USA, and it is gradually being expanded through the remainder of the county. These pilot programs may result in similar services being provided nationwide. Free Internet access hotspots have also been opened by a wide range of organisations. They may be found at Free-hotspot.com. FON is a wireless Internet router-vending company that has a specific Internet/network access sharing scheme which allows its users to share their Internet access for free to FON-users. Non-FON-users can also link-up, at a small price. The idea is to create a global, free Internet access system.
- Local area network
- IEEE 802.11
- Wireless network
- Exposed terminal problem
- Hidden terminal problem
- Fixed Wireless Data
- Evil twin phishing
- Legality of piggybacking
- Yi, Matthew (2003-08-25). "Wi-Fi hits the spot". San Francisco Chronicle. Retrieved 2007-09-03.
- Cheng, Jacqui. "Michigan man arrested for using cafe's free WiFi from his car". Ars Technica. Retrieved 1 July 2012.
- Marriott, Michel (2006-03-05). "Hey Neighbor, Stop Piggybacking on My Wireless". The New York Times. Retrieved 2007-04-09.
- How to Steal Wi-Fi Slate.com
- Seglin, Jeffrey L. (2006-02-26). "If Internet connection is open, feel free to use it". The Columbus Dispatch. Archived from the original on 2011-07-21. Retrieved 2014-07-01.
- Cohen, Randy (2004-02-08). "Wi-Fi Fairness". The New York Times. Retrieved 2007-09-03.
- Randy Cohen (Director), Jennifer Ludden (Director) (2005-04-17). "Stealing Thin Air". All Things Considered. National Public Radio. Retrieved 2007-09-03.
- Lee, Timothy B. (2006-03-17). "Wireless Internet: Hop on my bandwidth". International Herald Tribune. Archived from the original on 2008-06-13. Retrieved 2014-07-01.
- Masnick, Mike (2008-07-19). "On The Criminality Of WiFi Piggybacking...". Techdirt. Retrieved 2010-07-12.
- Grossman, Lev (2008-07-12). "Confessions of a Wi-Fi Thief". Time. Retrieved 2010-07-12.
- "Is making use of unprotected Wi-Fi stealing?". 2010-02-27. Retrieved 2010-07-12.
- "NO FREE LUNCH (OR WI-FI): MICHIGAN’S UNCONSTITUTIONAL COMPUTER CRIME STATUTE" (PDF). UCLA Journal of Law & Technology. Spring 2009. Retrieved 2010-07-12.
- WiGLE - Wireless Geographic Logging Engine - Stats
- Kern, Benjamin D. (December 2005). "Whacking, Joyriding and War-Driving: Roaming Use of Wi-Fi and the Law". CIPerati 2 (4). Retrieved 2007-09-01.
- Adam, A K M (2004-08-22). "So Weirdly Wrong". AKMA's Random Thoughts. Retrieved 2007-09-03. - An encounter in which a police officer tells a blogger he cannot use a public library's Internet access from a bench outside the library, and can't even use his laptop in the vicinity.