Is it legal to use Firesheep at Starbucks?

Legal experts debate legality of Firefox add-on that steals Facebook, Twitter account access at public hot spots

1 2 Page 2
Page 2 of 2

Another law may also apply to Firesheep use, said Malone. That law, the Pen Register and Trap and Trace Devices Act (sometimes shortened to the Pen/Trap Act), was crafted with telephone line wiretapping in mind, but it could be called on by prosecutors, Malone said.

A packet-sniffer that snatches important information, such as the IP address or other sending and receiving information, including addressing or routing data, is one case where the Pen/Trap Act might be applied.

"If something like Firesheep grabbed some pretty bad stuff, technically it may have violated [the Pen/Trap Act]," said Malone, adding that an aggressive prosecutor might decide to file charges based on that law.

Christie wasn't so sure. "If a tool like Firesheep captured IP addresses, the criminal component of it might apply, but I'm not sure anyone would use it."

The legal experts also noted similarities between the Firesheep situation and Google's trouble with U.S. and foreign regulators over its Street View vehicles. Earlier this year, Google admitted that those vehicles had grabbed information from unsecured wireless networks as they snapped photos and mapped hot spots.

Two weeks ago, Google admitted that in some cases the Street View sniffers had captured complete e-mail messages and user passwords.

Google claimed that the data collection had been unintentional, and it argued that the practice did not violate federal laws because the wireless networks were not password-protected. However, that didn't stop several state attorneys general from asking Google for more information as they tried to decide whether the company broke federal or state laws, including wiretapping and privacy statutes.

Last week, the Federal Trade Commission closed an investigation into Google's Street View activities. However, the company faces numerous class-action lawsuits in the U.S. over the practice and may be fined by some European privacy agencies.

Malone said he suspected that before the law catches up to Firesheep and its ilk, Web sites will lock down their services, making the issue moot. That's also the hope of Eric Butler, the Seattle-based Web application developer who said he released Firesheep to raise awareness of the lack of Web site security.

"Maybe all the bad press [over Firesheep] will make people realize that there's a problem, and enough to shame sites into changing," Malone said. "Maybe this is the wake-up call we needed."

Last week, several security experts offered advice on how users could protect themselves against Firesheep snooping.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon