The latest nutty ruling from the European Court of Justice is yet another example of judges and politicians failing to get the advice of anyone who knows how stuff works before opening their mouths and putting their foot in it.
This concerns a case where some digital rights lawyers tried to sue the owner of a lighting shop in Germany because some of his punters were downloading naughty stuff over his free WiFi. Article 12 of the EU E-commerce Directive says that an ISP isn’t usually responsible for the activity of its users, in the same way the local council isn’t responsible if a thief uses one of their footpaths to make a getaway. But thanks to some deep pocketed sharks lawyers and a defence mounted by some gonzo for the Pirate Party, the ECJ ruled otherwise:
The Court holds that an injunction ordering the internet connection to be secured by means of a password is capable of ensuring a balance between, on the one hand, the intellectual property rights of rightholders and, on the other hand, the freedom to conduct a business of access providers and the freedom of information of the network users. The Court notes, in particular, that such a measure is capable of deterring network users from infringing intellectual property rights.
Basically, until they roll the dice again, offering free WiFi is off the menu at your local coffee shop; customers have to register and get a password, so Sony etc know where to go knocking when their crooners are pirated.
This is going to cause great inconvenience to the majority of normal users, but not much to the pirates. In order to implement this, having a simple open WAP for your customers to use isn’t going to be possible. They’ll all need to be changed to stop and ask for a password before proceeding. You’ll have to give your name and address to the café owner, have an account created and be issued with a unique user-ID and password. The ruling doesn’t go in to any detail about how vociferate the ID check should be, but that’s a whole new boîte de Pandore.
However, if you’re a pirate, you just give false credentials. No problem. Or even easier, capture the unencrypted traffic and pinch someone else’s password, then sit back and snigger as the fuzz kick down their door instead.
You could, of course, insist that such networks are also encrypted using WPA. Not all endpoints support this, but lets leave that aside. Unlike WEP which can be broken in 30 seconds on a laptop, WPA2 takes a couple of hours on some fairly hefty dedicated kit (or 24 hours on a standard AWS compute server). So that’s alright then.
Once a fake account has been obtained, of course, you can provide lists of WPA2 keys, IDs and passwords on the pirate web. I predict there’ll be a huge list of fake credentials within a couple of days of it being implemented. Well I would predict it the ECJ ruleing could be implemented without major infrastructure changes and the enormous manpower needed to enforce it. But that’s not going to happen, is it?
But hang on a minute – doesn’t this all sound familiar? Well yes, there’s the UK’s Data Retention Regulations of 2009. This already requires service providers to keep a log of the name and address of users, and what IP address they were using at any given time. If you’ve noticed WiFi hotspots provided by some large companies asking for your name, address and password when you first log in, now you know why.
Is this effective? Of course not. Who’s going to give their real name and address? If you’re a legitimate user, you’re going to be wary of junk mail; if you’re a pirate you’d have to be crazy.
So once again, we have some complete idiots in the EU (in this case) flying in the face of technological reality, where the only practical response to their utterances is to ignore them. What a waste of time and money. It’d be cheaper to stick to our own idiot politicians.