SocialMediaLand has been flooded in the last couple of days with stories about Firesheep. In case you have not heard about it, Firesheep is a Firefox add-on that allows anyone to hijack other people’s social network accounts in open wifi zones. The way the application works is staggeringly simple. If you login to a social media site, it is likely that you will be getting a session cookie to keep you logged in (usually turned on by the “Remember Me” button). This cookie will identify you as already having logged into the system, and therefore its possession will allow you to connect to the social media site without having to identify yourself again. So, now imagine you are in a coffee shop with open wifi and you have your laptop with you, and you are also logged in with a session cookie to Facebook or Twitter. Guess what? Any person in the possession of Firesheep will be able to intercept that session cookie, and therefore will be able to connect to your Facebook account. Not only that, Firesheep will capture all of the unencrypted cookies flying around in the open wifi environment.
Frightened? In the immortal words of Strider: “Not nearly frightened enough, I know what hunts you”. Indeed, a wolf in sheep’s clothing. Although I have read a lot of commentary so far, I have yet to see some legal discussion about the legality of Firesheep.
Firstly, it is important to point out that the main objective of this tool is to educate consumers and to try to force developers to create secure SSL connections between the server and the user at all stages after logging in. According to the creators, this has been a well-known exploit for years, and now they have created a tool that anyone can use to illustrate that point. Keeping that in mind, there are two different ways to look at Firesheep from a legal perspective, one is to look at whether the building of the add-on itself is an offence, and second is the use given to the application by members of the public.
The most obvious offence against the building of hacking tools is the one related to the creation, sale and import of anti-circumvention tools designed to remove technical protection from copyright works; which does not apply in this case. However, the UK is signatory of the Council of Europe’s Convention on Cybercrime, which in Article 6 contains an obligation to member states to have in place legislation against the misuse of devices. The Convention says:
“1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:
a. the production, sale, procurement for use, import, distribution or otherwise making available of:
i. a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5;
ii. a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed,
with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5;”
To my reading, Firesheep seems to fall squarely into this category, as within articles 2-5 there are offences for illegal access, illegal interception, and data interference, all of which could describe what is achieved with Firesheep. However, there may be a way out with regards to mens rea. The Convention clearly sets out an exception with regards to security. Art. 6.2 reads:
“2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.”
So, intent is very important. As the stated goal of Firesheep is to create an educational tool to check security vulnerabilities, the developers may not be committing an offence. This part of the Convention exists as well in UK law through the Computer Misuse Act 1990. s3A of the CMA states that:
“3A Making, supplying or obtaining articles for use in offence under section 1 or 3.
(1)A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(2)A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(3)A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.”
These offences include “Unauthorised Access to Computer Material” in s1, which certainly would cover the interception conducted by Firesheep. Interestingly, s3A seems to be much broader than the Convention, and it does not include the exception.
What about Firesheep users? The Cybercrime Convention covers the possession of items that are likely to be used for the commission of an offence such as unauthorised access (see Art. 6.1(b)). Moreover, the Computer Misuse Act seems to be quite clear with regards to unauthorised access. The aforementioned s1 reads:
“(1)A person is guilty of an offence if—
(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured ;
(b)the access he intends to secure, or to enable to be secured, is unauthorised; and
(c)he knows at the time when he causes the computer to perform the function that that is the case.
(2)The intent a person has to have to commit an offence under this section need not be directed at—
(a)any particular program or data;
(b)a program or data of any particular kind; or
(c)a program or data held in any particular computer.”
Similarly, the act of intercepting a cookie may fall foul of the Electronic Privacy Directive (2002/58/EC), which clearly states in art. 5 that:
“1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1).”
In short, it seems like the only way in which one may argue that Firesheep is legal in Europe in general, and the UK specifically, is if one were to hold that the tool was designed to educate about serious security vulnerabilities. Were I the developers, I would not be travelling to Europe any time soon. As for individual users, my guess is that they will be incurring in one of the offences listed above.
Having said that, I thoroughly empathise with the developers, and support their objective. However, the fact that Firesheep will undoubtedly be misused gives one scope for concern. How many people will have had their Facebook and Twitter accounts accessed in the last few days? My guess is that the number is non-negligible.
However, I must join my voice to that of the Firesheep developers. We need SSL at all stages of connection, and we need it now.
ETA: I do not know how I also forgot to mention s1 of the Regulation of Investigatory Powers (RIPA), which makes it an offence to intentionally intercept an electronic communication.