Hacker News new | past | comments | ask | show | jobs | submit login
Germany plans to remove owner liability for piracy on open Wi-Fi hotspots–report (arstechnica.co.uk)
371 points by Tomte on May 14, 2016 | hide | past | web | favorite | 78 comments



The article doesn't mention that the case was fought in court by German Pirate Party activist Tobias McFadden.

http://piratetimes.net/german-pirates-went-to-the-european-c...

In addition, there is a Freifunk - a non commercial initiative to provide free public WiFi.

https://freifunk.net/en/


The wording of the proposed law is not published yet and there are good reasons (including statements by the involved ministries) to believe that it does not really have the effect they claim.


Just politically it doesn't make any sense to me to believe the change will have that effect.

Why would after such a long time the CDU suddenly drop the pro-Störerhaftung position? It seems much more likely that SPD and CDU have reached a compromise that eliminates the Störerhaftung only partially.

I expect the outcome will just create legal uncertainty. So that there won't be any positive effect.


> Why would after such a long time the CDU suddenly drop the pro-Störerhaftung position?

That's because the Advocate General (AG) to the Court of Justice of the European Union (CJEU) has decided it to be so [0]. According to the AG, there has to be balance between "freedom to conduct business" and "protection of IP". So, the requirement to make WiFi networks secure via passwords is an unfair balance.

The AG's counsel is not binding on the CJEU but it gives you fair direction on which side the CJEU would rule.

[0] http://curia.europa.eu/jcms/upload/docs/application/pdf/2016...


That's a very good reason. I don't think it truly explains the shift, considering the larger context. They suffered similar and larger legal setbacks on data retention and they didn't change their position on that, they pursued it further.

Why are they willing to drop this so much more quickly? Is the legal argument stronger here? Are the law and order people just that much more powerful than the intellectual property people? Is there a larger compromise at play, where the CDU compromises on this issue and the SPD on another?


The black helecopter conspiracy theorist in me whispers: As a mass surveillance strategy it makes much more sense to have a national tap on all the free wifi than to require passwords/id, which would send potential terrorists underground with something harder to tap. The threat of an effective security culture of "undesirable" cells around, say, one-time pads, is the end-game that any state security apparatus is trying to avoid.


Especially with the Freifunk community threatening to provide a free, secure, public WiFi system anyway.


> Is the legal argument stronger here?

EU court directives are applicable for EU member countries. CDU or SPD can't do much. There's also a ruling from the Danish SC on EU directives that applies in Germany on open WiFi. I doubt SPD or CDU could do much. It would potentially just delay the homecoming of such a law.


Danish court rulings binding on Germany? You're either joking or misinformed.


No court rulings are ever binding apart from the specific case discussed. However, judges often (especially in higher courts) state criteria they would use to judge similar cases and make general remarks in this area of law. Other judges then later directly refer to those lines of argumentation. If a Danish judge issued a ruling based solely on EU law with convincing arguments, then a German judge can use that later just as if another German court ruled on that matter.

I don't read verdicts often enough to say how common this is (and certainly often arguments are copied without mentioning the source). However, in literature you regularly see that authors refer to cases from different EU member states. And why should arguments made by Danish judges by worth less in Germany than arguments made by German judges? The whole point of the EU is harmonization of law. If one legal source is consistently interpreted in two different ways in two different countries something definitely went wrong.


I have explicitly mentioned that is a Danish Supreme Court ruling on EU directives and hence, has bearing (not binding) in Germany. I'd love to prove wrong but here's a link that pretty much mentions the same

> It’s noteworthy, though Germany’s legislators probably don’t realize this yet, that the elimination of the Störerhaftung enables use of the open wireless defense in Germany, according to a ruling from the Danish Supreme Court (which does have bearing in Germany, as that court ruled on EU directives).

https://www.privateinternetaccess.com/blog/2016/05/finally-g...


> Why would after such a long time the CDU suddenly drop the pro-Störerhaftung position?

Most of them own tablets and smartphones by now and they don't feel like maxing out their data plan which they have to pay for themselves.

On a serious note, I'd agree that this just creates legal uncertainty. Netzpolitik.org (in German langauge) goes a bit into details [0]

[0] https://netzpolitik.org/2016/abschaffung-der-wlan-stoererhaf...


The situation is similar in France, with the HADOPI(3-strike law) adding a "neglect" infraction for lack of securing your Internet access. So you're indirectly responsible of piracy, but won't pay fines for it, only for negligence of securing your wireless network (ie running an open network). It's pretty comical and hard to apply, and only one person has been sentenced in the 7 years of this law.

Luckily, there's always onionpi (https://learn.adafruit.com/onion-pi/ ) should you need to run an open wifi network.


>only one person has been sentenced in the 7 years of this law.

That's not true. At the end of 2015, about 31 people were found guilty.

https://nextinpact.com/news/96525-hadopi-plusieurs-abonnes-c...


But how many were condemned specifically for "neglect" ? I'm guessing it's not that many. Anyway, even if it's 31 people, it's still a very low number considering the money spent there.


Is this a common practice in Europe /US? It seems ridiculous that the WiFi provider would be held liable for such a thing. Why stop there, should make the ISP liable too!


No, it's just Germany that has this stupid rule. Yes, it's ridiculous but has that ever kept politicians from implementing legislation?

Germany is particularly notorious when it comes to useless, ridiculous and downright detrimental laws regarding anything that has to do with the Internet, notable examples being the so-called 'Leistungsschutzrecht' (https://en.wikipedia.org/wiki/Leistungsschutzrecht ) and the 'Impressumspflicht' (legal notice requirements for websites)


The Impressumpflicht that is applied to websites now, is based on a law from 1530[1]

[1]: https://de.wikipedia.org/wiki/Impressumspflicht#Geschichte


The idea is old but the law now applied to websites was deliberately extended to the internet.


I don't think the law actually explicitly affects wifi, that's just a consequence. The concept of Störerhaftung precedes wifi by quite a bit.


It's a "happy accident" for the content industry, though. Can't figure out who fileshared your mp3? Just sue the person running the public WiFi.

There have been several attempts to sue Freifunk (basically a public mesh WiFi using tunnelled connections) participants this way too, luckily so far that hasn't resulted in a single "victory" yet.


No. That's a Germany thing and it resulted in the conplete lack of public wifi hotspots.


More precisely: for example hotels typically have a public wifi for their customers, but you must get an individual login account from the reception. This protects the hotel or its service provider.

It is quite silly, of course, and is generally a little hassle with your hotel.


It's more problematic when you're transiting through a German airport, and practically fall off the face of the earth.

Ohhhh, they have a wifi hotspot portal: "Enter your cell phone number to get an SMS with a 30 minute code". You want me to turn on my cell-phone and potentially incur roaming charges now?

I hear things have gotten better in Frankfurt and you only have to provide an email address. How did they skirt this law?


> I hear things have gotten better in Frankfurt and you only have to provide an email address. How did they skirt this law?

By being run by companies that claim to be ISPs. What exactly counts as an ISP is at the core of the entire issue, because ISPs are protected from this. A company which only exists to provide internet access has a better standing (and better lawyers) to argue that it is an ISP, compared to a private person or a coffee shop owner.

Most coffee shops I use Wifi in thus have access points provided by such companies. They offer AP/captive portal etc as a package and send the traffic through their systems, taking responsibility for it. (for good measure, some of them probably send the traffic out to the internet in other countries, to make it harder to harass them over it)


Are there really subscription plans where merely turning a phone on and receiving an SMS incurs roaming charges?

Typically people just disable "data roaming" when travelling internationally, at least until one reaches and can lock to a "friendly" 3G/4G network. Thus there are no charges for IP traffic including MMS, and SMS reception is always free because you cannot turn it off.

(I still agree that WLAN at German airports is abysmal and at restaurants practically non-existent. Another downside of Germany is the unavailability of Google Street View.)


> Are there really subscription plans...

Welcome to Canada... (It's not as pricey as it used to be, but who knows how many SMSs you might have queued up)


For reference, CGN airport has no-login free wifi and gives you zero bullshit.


Not really – public hotspots are everywhere. Alone in Kiel, most stores, and the whole downtown area have free public WiFi.

You just need to log in via a website, where you have to press "yes, I read the ToC".


It's just Germany. Another thing that Germany does is "speculative invoicing" viz. they send legal threats with settlement offers for illegal torrent downloads or any copyright infringements. Generally, most people pay up as the former law protected it. This new law could bring an end to this as WiFi providers now have a defense mechanism to fight this in court.


I was speculatively invoiced for things I have never even heard of let alone torrented. It's a total scam, possibly even criminals running it moonlighting as legal firms... same letter head but with different bank account details.


Another unusual German law is having to register your location with the police, even where you're staying when you travel to other parts of Germany for a few nights.


Foreigners? Probably, but I haven't checked. But how is that unusual?

China, Russia and the US all require that.

Citizens and everyone else with a residence permit don't have to register temporary whereabouts ("for a few nights").


It's not just foreigners, it's everyone in Germany. I'm not that familiar with the details though. No such thing is required in most of the West I think. In practice, an ordinary life leaves an ample paper (and digital) trail, but you can legally live "off the grid" if you'd like.

On the other end, the US is pretty unique in that you don't have to notify the government that you're leaving the country. I believe recent laws actually authorize an exit-tracking system, so that might be coming to an end unfortunately.


Wrong. We have to register our place of residence, that's true. But I can visit friends somewhere else for months and not notify anybody (well, I should notify my friends...). Because I'm not taking up residence there.


I stand corrected.


The United States has no such system. Neither residents nor foreign travelers are required to register their address with anyone when in the US.


Not sure if the law changed, but for the 12 years I was on student (F1) and then work (H1) visa I had to notify INS if I changed of address. If you are traveling internationally frequently there was no need to separately inform them because you would do it on your entry form, but I've had to send a special form once when I moved and wasn't planning to travel for a while. This was about 10 years ago so things might have changed.


Strange. Every time I've visited the US I've had to specify at immigration where I'd be staying...


Entering the US requires an initial contact address on the arrival form. Once in, you can then go stay whereever you like, without any further address registration update requirement.

This is as opposed to Russia and China, where foreigners are required to notify the government of every address they ever stay at.


It's just common sense... Can a ISP be liable for what it's user do? An open Wi-Fi hotspot is basically an ISP....


That's the core of the legal issue. ISPs are protected, it's not clearly regulated what/who an ISP actually is, and the courts generally haven't granted the status to private/on-the-side providers.


If a restaurant lets their customers use their phone are they liable if the customer uses the phone for illegal purposes?


It's safe to speculate that the final wording will have limitations and still require identification of users to pursue "pirates", online bullies, online vandals, etc.


Years too late. Many years really.


Why? Here's my current POV: 1. Internet is not really a public resource, it's rather a gigantic alliance of p2p connections, mostly organized by private entities who can make whatever contracts they want. 2. On this alliance, if one actor wreaks havoc (spam, DOS, scam, piracy), the victim can only turn back to the node which transmitted the connection; 3. It's up to this node to keep logs and forward the pursuit upstream to the attacker; 4. It's the only way it can decently work, because we may lack proofs or the chain of responsibility to attack the upstream node directly; 5. Legal problems will happen if we treat the Internet as a public resource, where politics have a say, where access is not authenticated, and where no-one bears responsibility for crimes.

Now it appears that you don't follow this opinion, you think we should let criminals access the internet anonymously?


> you think we should let criminals access the internet anonymously?

Of course we should, because that is unavoidable. Making anonymity harder will make it so that only criminals have anonymity, because they are the ones who can justify extraordinary measures and are willing to break laws in order to get it. All laws against anonymity do is harm honest people who need it for anonymous speech and privacy.

And somehow all of your premises are wrong, even though only one has to be for your argument to fail:

> Internet is not really a public resource, it's rather a gigantic alliance of p2p connections, mostly organized by private entities who can make whatever contracts they want.

This is like saying transportation isn't a public resource because buses and taxis and airplanes are provided by lots of different people under privately negotiated terms. You don't have to show ID to ride in a taxi, nor should you.

> On this alliance, if one actor wreaks havoc (spam, DOS, scam, piracy), the victim can only turn back to the node which transmitted the connection

Victims of scams can follow the money or flow of goods. Spam and denial of service can be algorithmically identified and rate limited. Undetectable piracy is not a problem your proposal would solve; see also direct download sites, foreign VPN services, I2P, sneakernet, LAN parties, etc.

It is also possible for endpoints to choose to require that the opposite endpoint authenticate cryptographically before accepting any other data from it, which will always be significantly more reliable then relying on every carrier and endpoint on the internet to remain uncompromised in its ability to assert the origin of traffic it forwards.

> It's up to this node to keep logs and forward the pursuit upstream to the attacker

This isn't a premise at all, it's just an unsupportable conculsory normative assertion.

> It's the only way it can decently work, because we may lack proofs or the chain of responsibility to attack the upstream node directly

So block it until the attack stops then. Or require users to register using some collateral or proof of work.

> Legal problems will happen if we treat the Internet as a public resource, where politics have a say, where access is not authenticated, and where no-one bears responsibility for crimes.

Just because an IP address doesn't map to a person doesn't mean "no-one bears responsibility for crimes." It just means investigations are more expensive. Which is good, because it means serious crimes can still be prosecuted but mass surveillance and petty crusades are impeded.


Good points, thank you for developing. You might even have changed my mund, it was worth it.


To be perfectly honest- everyone ignored it. That seems to be the role of the lawmakers lately. Make some law to comfort the elderly and ignorant- then don't enforce it and clear up the mess and damages created by the chilling effect. Ironically it wont even save those ISPs it was made to protect for, which paid ridiculosis amounts of money for smartphone frequency's.


The infamous CP card is usually played by backwards-minded conservatives but it was, is and keeps being a potential big problem when you open your Wifi to the public. Also other criminal online activities.


This is still a problem even if the Störerhaftung (WIFI-owner being liable for misuse) is removed: When the police comes looking for someone distributing CP, they go by the IP address and take everything that remotely looks like a computer for forensic examination.

So, having an open WIFI is like painting a huge target on your back, albeit a somewhat smaller one when media companies are removed from the list of potential trouble makers.

(See also: http://www.lawblog.de/index.php/archives/2016/05/12/dein-wla... (in German), for a defense lawyer's perspective)


Well, no, if the law says "anyone can run open wifi, and any suspicious use there should be investigated, and not just taken as read that the person who owns the wifi is the user of it" then the moment permission is sought to raid the place it should be denied immediately until there's some evidence the person running the wifi also committed the crime. If that's written into the law; if at the point a warrant is sought, or if at the start of a court case the defence can just say "this case should be tossed out; you aren't allowed to go after people running free wifi" then there would be no point in going after the people providing free wifi. After all, no-one goes after the ISPs.


Except that there is evidence to show that the specific equipment was used to commit a crime. You'd be hard-pressed to provide a legal standard that prevented police from obtaining permission from a court to seize that evidence as part of their investigation, even if the owner isn't implicated.

It's not too dissimilar from a shop owner being forced to give up security camera footage -- the owner is not being targeted in the investigation, and there's plenty of unrelated footage, but there is a high likelihood of relevant evidence existing.


I think there should be a law that would disallow passwords for public wifi.

passwords are soooo annoying (is that a 1, l, or I?) & if everyone had open wifi, then it could be utilized much more, lowering everyone's wireless carrier usage. also, you wouldn't need to worry about someone using too much bandwidth -- it would happen, but i doubt more frequently than with the passwords. Well, wifi could be throttled if it were really a problem.


If it's got a password, it's not really public wifi. Isn't it usually complementary wifi for patrons of a particular business?


I think he might be referring to "public" but not public wifi, like coffee shops etc.

I've long thought that if your business is using public unlicensed spectrum then you should be required to let the public in.

A very large national phone carrier in my country is blanketing the cities with wifi reserved for their customers - using a public resource and clogging up the unlicensed spectrum for private gain. They've already bought a lot of spectrum licenses, but clearly using public spectrum is a cost-effective way to add capacity.


Ugh.. and it is so hard to actually get on those wifi networks -- at least as a traveller. They'll give it free to mobile customers, who never bother to use it.

Yes, I was referring to cafe / resto wifi. If one opens it, then people take advantage, but if everyone opens theirs, then nobody bothers. Only some really cheapskate neighbors who most probably don't consume all that much of it anyways.

everybody has a smartphone now, most don't bother asking for the wifi password. If you ask for it, then often the next problem is the router doesn't work because nobody has used it in so long.



Large scale public wifi generally doesn't have passwords, that clearly doesn't scale, they have fancy enterprise auth things or captive portals. Shared password only works for small places like coffee shops.

Anecdotes: 1: on London Underground, my phone authenticates using the SIM somehow (it still shows a captive portal screen, just with an ad, yay). 2: in the Turkish lounge in Istanbul airport, the shared password was clearly a marketing channel, InvestInTK2016 or some such. It struck me as pretty clever.

> if your business is using public unlicensed spectrum then you should be required to let the public in

"Unlicensed" isn't really "unlicensed", as much as specifically licensed for anyone to do with as they please. But to take your idea just one step further, once you've opened up all wifi for the general publics consumption (what a renaissance for wired networking!), would people using it be allowed to use it for private gain? Why is it wrong to use unlicensed spectrum for private gain, but not to use a service provided over the same spectrum for private gain? Also, as a business, under this doctrine, are you allowed to enable wifi access to a closed non-internet LAN, with only locked-down non-public servers on it?


> "Unlicensed" isn't really "unlicensed", as much as specifically licensed for anyone to do with as they please.

One does not need a license to operate a radio in the WiFi bands, so that spectrum is unlicensed. However, it is not unregulated. :)

> Anecdotes: 1: on London Underground, my phone authenticates using the SIM somehow...

That might be EAP-SIM [0].

EAP (and WPA2-EAP) is really cool. I really wish that MSFT would configure their WiFi supplicants to not care if the key of the PEAP or TTLS server they're talking to is signed by an unknown CA. This would let coffee shop owners deploy encrypted but password-less WiFi and shut down a whole class of attacks. [1]

[0] https://en.wikipedia.org/wiki/Extensible_Authentication_Prot...

[1] Seriously, MSFT obviously designed their WPA2-EAP GUIs only for use in an enterprise environment. There's no way for a Windows user to connect to a WPA2-EAP network that uses PEAP or TTLS with a cert from an unknown CA by just clicking on the network in the network browser and punching in some credentials. You must manually configure the network, then uncheck a checkbox buried beneath a couple of menus. What's more, the error you get if you don't do this is entirely unhelpful. :/ In contrast, Apple's GUI for this is actually useful: "This cert is unknown. You want to trust it for this WiFi network?". Say yes and off you go!


> But to take your idea just one step further, once you've opened up all wifi for the general publics consumption (what a renaissance for wired networking!)

I think this requires clarification - I don't mean no business should ever use wifi. I mean businesses like telephone companies shouldn't be using to augment their networks. Obviously offices and the like need secure wireless networking that normal hardware can connect to.

> Why is it wrong to use unlicensed spectrum for private gain

Maybe with my above correction this isn't needed, but in cities the 2.4ghz channel is loaded to death and in a few years the 5ghz channel will be the same. All I'm objecting to are these closed commercial networks from people who should be paying for the spectrum bunging up the open one the rest of us use. My city is soaked with a wifi network that is closed to everyone except the customers of a telco. If your primary business is providing network connectivity, perhaps you should pay for the finite resource you use.


So you're speaking of a specific problem in a specific place - this is kind of hard to know when it was phrased as a general principle.

Also, it's hard to discuss the issue when there are no details about the specific issue available.

But two points: First, where I am, 2.4Ghz is perfectly swamped with normal residential access points. It seems unlikely that this telco in your city did much more than move up the point where the spectrum is swamped, rather than causing it directly (also, if their use is affecting everyone else, they themselves are affected, too, rendering their investment pretty pointless, which leads me to wonder just how bad the situation actually is). Second, if you do want to regulate, in a rule-of-law-compatible way, well, it's going to be hard to distinguish a Starbucks access point operated for the benefit of customers of Starbucks from a telco access point operated for the benefit of customers of that telco. (If you want to use spectrum ownership as the metric, consider that many telcos cover both spectrum-owning mobile and commercial and residential broadband (ie wifi-providing) subsidiaries). To further muddy the waters, the telco is very likely to be selling access to their wifi network to non-subscribers.


>it's going to be hard to distinguish a Starbucks access point operated for the benefit of customers of Starbucks from a telco access point operated for the benefit of customers of that telco

Not really. Usually there is an actual Starbucks where there is Starbucks WiFi and it doesn't extend much beyond the coffee shop. In this case and the case of Comcast in the US, the company is using other people's property for broadcasting wireless.


No I am speaking of a general principle and using an example.

I don't particularly want to get out the spectrum analysis gear and argue with your points in a ground war. I think for discussing a general idea it's a distraction.


Public doesn't mean free to everybody, it means available to everybody. A public house (as opposed to a private club), aka a pub, is not a place you can hang out whenever, they have hours (they are not "public" at night) and you're supposed to buy stuff when you're in there.

There's nothing about password protected wifi that makes it inherently non-public.


I think he means when certain Telcoms blanket entire cities with Wi-Fi in the unlicensed spectrum which at scale makes everyone else's connection worse. I have no problem with blanketing cities with internet access but I think commercial wireless should have their own frequency -- which would actually be good for them since they would be mostly alone in the space and could get a frequency which is better suited to large scale coverage.


I live in London which has allot of telco wifi everywhere and I haven't seen any adverse impact on my signal.

Wifi is saturated regardless of it being metro or not, relatively speaking the strongest signals by far will come from your neighbours not the telcos.


If I remember correctly, the problem with open WiFis is that all data is transmitted as plaintext.

If you set a password (even if it's just "password") and therefore enable e.g. WPA2-PSK, data is properly encrypted with a per-client session key.


This isn't really true. If you know the PSK and can capture the packets of the client associating with the AP, you are able to decrypt any further communication.

http://security.stackexchange.com/questions/8591/are-wpa2-co...


Well, that's almost as terrible. Combined with the "everyone can deassociate everyone" that's been in WLAN forever and the "enterprise" solutions using MSCHAPv2 where passwords can be almost trivially recovered it's pretty much impossible now to do WLAN securely. Companies should really treat any wireless network as basically insecure.

The terrible certificate support in e.g. Android is just icing on the top.


> ...and the "enterprise" solutions using MSCHAPv2 where passwords can be almost trivially recovered...

Those enterprise solutions are almost certainly wrapping the MSCHAPv2 exchange in TLS. e.g. PEAP-MSCHAPv2 or TTLS-MSCHAPv2. Additionally, I'm not sure, but I think that plain EAP-MSCHAPv2 can't generate the keys required for a wireless client to establish an encrypted session with an AP and -thus- would never be used by a WiFi client.

> The terrible certificate support in e.g. Android is just icing on the top.

Eh? In my experience both Android and OS X's UIs for WPA-EAP are substantially superior to the UI that Windows offers.


Some event WLANs I've used had been set up to use WPA2 Enterprise, but accepting any user/password combination, giving everybody a different key. Bit more annoying to set up and connect to though, so probably not for general public APs. (+ explain that to customers. "No, really, just put anything in there. No, it doesn't matter, just do it.")


You guys surprise me, how is this news? Western societies are supposed to be liberal, how exactly would one be responsible of what other guys do? How about open Wifi in hotels or restaurants?

I am not surprised provided what I hear you say, that Bulgaria (where I live in) has the best internet connection in the world. If you think I am joking - Google it. What the title says is sheer stupidity and makes absolutely no sense - and insult to intelligence.


> How about open Wifi in hotels or restaurants?

This the primary reason why Germany has very few open WiFi spots.


Well, I am glad they are moving over. Technically, it would be very hard to find people responsible for open Wifi in, for example, a hotel. Who would be responsible if Osama Bin Laden browsed something that is illegal? The hotel owner, the staff, the internet provider? And how about if the hotel is owned by a public company? The shareholders?

Just bullshit.


That's why the wifi isn't open in German hotels, instead you get a login specific to your room.


And that is why this is bullshit, because, if I want, I switch to mobile roaming for the price of one beer. You cannot stop me with bullshit like that, if I want to do something that they think is illegal.

And not only that, I can buy an anonymous SIM card, if I want. What exactly are you saying, you are defending this stupidity? What else are you defending, if someone uses Facebook or Whatsapp for terrorism, you gonna shut them down.

Please.


I think you will not be surprised to read that they are trying to outlaw anonymous SIM cards ...

http://www.spiegel.de/netzwelt/netzpolitik/prepaid-sim-regie...




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: