We Have Ways of Making You ... Use a Password

By Adrian Lane

MSNBC has an interesting news item: a German court is ordering all wireless routers to have a password, or the owners will be fined if it is discovered that someone used their connection illegally. From the post:

Internet users can be fined up to euro 100 ($126) if a third party takes advantage of their unprotected WLAN connection to illegally download music or other files, the Karlsruhe-based court said in its verdict. “Private users are obligated to check whether their wireless connection is adequately secured to the danger of unauthorized third parties abusing it to commit copyright violation,” the court said.

OK, so this is yet another lame attempt to stop people from sharing music and movies by trying to make the ‘ISP’ (a router owner in this case) an accessory to the crime. I get that, but a $126.00 fine, in the event someone is caught using your WiFi illegally and they prosecuted, is not a deterrent. But there are interesting possibilities to consider.

  1. Would the fine still apply if the password was ‘1234’?
  2. What if they had a password, but used WEP? Some routers, especially older routers, use WEP as the default. It’s trivial to breach and gain access to the password, so is that any better? Do we fine the owner of the router, or do we now fine the producer of the router for implementing crappy security? Or is the manufacturer covered by their 78 page EULA?
  3. Many laws start as benign, just to get a foothold and set precedence, then turn truly punitive after time. What if the fine was raised to $1,260, or $12,600? Would that alter your opinion?

I cannot see an instance where this law makes sense as a deterrent to the actions it levies fines against.

No Related Posts

That MSNBC piece is strikingly uninformative. It doesn’t even address how a court is effectively creating new law, so there must be a lot more to it, as suggested by Chris’ comment.

From the quote, 1234 is not sufficient. If there’s a lawsuit which makes it before a judge, the damages are going to be sufficient (even if they’re arguably bogus) that 1234 is not “adequate… to the danger”.

Hopefully this minor fine will convince people, hardware vendors, and ISPs, to use WPA and real passwords. Lots of ISPs offer WiFi APs with WEP by default, and I don’t see a basis here for suing such a customer for not upgrading or replacing the AP (some don’t support WPA!)—I know several people who don’t know the difference between WEP and WPA, and the court’s mention of ‘password’ makes it clear that a music company cannot (currently) sue for inadequate encryption type.

Then again, if someone steals plans for a fighter jet while setting in a German driveway, this might be a bad precedent for the owner of the driveway/AP.

By Chris Pepper

It is not a 100 Euro fine as such… As far as the law is concerned, you can leave your wifi wide open! This was a civil case. The ruling said that if someone downloads stuff using your unsecured IP, the worst that can happen to you is a cease and desist notice at a maximum cost of 100 Euros. The plaintiff also demanded damages for lost earnings, and this was denied by the court.

I think you have to take reasonable precautions, so 1234 probably won’t cut it…

I think the “real life” analogy would be young people dancing to bootlegged grammophone records in your barn while you are away. The grammophone company could demand that you lock the barn with a standard padlock and charge you max. 100 Euros in legal fees.

There is a cottage industry of third rate musicians and lawyers who trap downloaders and send them cease and desist notices, charging hundreds of Euros for the privilege, so this ruling is a bit of progress.

By Chris

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.