Is it legal to use Firesheep at Starbucks?
Legal experts debate legality of Firefox add-on that steals Facebook, Twitter account access at public hot spots
Computerworld - People using the Firesheep add-on may be breaking federal wiretapping laws, legal experts said today.
Or maybe not.
"I honestly don't know the answer," said Phil Malone, a clinical professor of law at Harvard Law School as well as the director of the school's Cyberlaw Clinic at the Berkman Center for Internet and Society. Malone also served for more than 20 years as a federal prosecutor with the U.S. Department of Justice.
Firesheep, which was released just over a week ago and has been downloaded nearly half a million times since, is an add-on to Mozilla's Firefox browser that identifies users on an open network -- such as a coffee shop's public Wi-Fi hot spot -- who are visiting an unsecured Web site.
But while the tool itself is not illegal, using it may be a violation of federal wiretapping laws and an invasion of privacy, experts said.
"There are two schools of thought," said Jonathan Gordon, a partner in the Los Angeles office of law firm Alston & Bird. "The first is that there's no reasonable expectation of privacy in a public insecure Wi-Fi connection."
Gordon, who regularly counsels clients on their Internet business practices, cited the U.S. statute pertaining to wiretapping, which states that it's not a violation of the law "to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public."
But a second school of thought, said Gordon, "is that when people are accessing their social network [account], they have an expectation that whatever they're doing is governed by the privacy settings in that network." In other words, the fact that accessing a site takes place in an unsecure environment is beside the point.
Gordon acknowledged that the second position was held by a minority of legal experts.
Scott Christie, a partner in the Newark, N.J., office of law firm of McCarter & English, is in that minority, and he said that using tools such as Firesheep -- dubbed "packet-sniffers" -- is illegal.
"Do people have a reasonable expectation of privacy when they're at a public node? The answer is probably yes," said Christie. "They don't forfeit their expectation of privacy simply by using a public Wi-Fi spot. And wiretap laws in general make it illegal to intercept real-time communications and content."
But privacy laws were not crafted to cover scenarios where the owner of the data -- in the Firesheep example, people accessing their Facebook accounts at an unsecured hot spot -- didn't take steps to protect their information.
That's one of the reasons why the legality of Firesheep, and other tools like it, remains up in the air.
"It's an unsettled legal issue, but it will be tested at some point," Christie said. "Like many other situations, this is one of those areas where the law was crafted prior to the Internet age, and the courts will have to catch up."
Gordon agreed. "It may be difficult [to clarify this], but it will happen," he said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts