[OpenWireless Tech] On VPNs

Peter Eckersley pde at eff.org
Thu Jul 28 15:14:23 PDT 2011 

On Thu, Jul 28, 2011 at 03:23:48PM -0500, Christopher Byrd wrote:
> > against malicious APs.  If APs wish to transmit nothing but VPN traffic, it
> > could also protect the APs against clients that do questionable things with
> > the network.
> 
> Have you run this statement past a lawyer, or are you one? I don't
> know if purposeful blindness is a valid defense. I don't even know if
> there is liability to running an open wireless network in the first
> place. In the US for example a large number of corporations have
> decided to operate nationwide open wireless hotspots. I would be
> surprised if they are doing so over the objections of their legal
> council.

I am not a lawyer, but I work in an office full of lawyers.  Nothing I say
here is legal advice.  The question of what risks you take by running an open
wireless router is complicated.  And of course it depends on what jurisdiction
you're in.  

A couple of general points: individuals running open routers in the US would
enjoy the same legal protections against various forms of liability that ISPs
do via CDA 230 and 17 USC 512 (though there is always some risk of liability,
and you might not be in the US).  But most importantly: regardless of
whether you are legally liable, you could still be faced with significant
expense and difficulty in proving that you were merely the network provider,
and not the original source of the traffic.

We believe that these risks are very small in an actuarial sense, and if the
open wireless movement runs a real public-facing campaign, I expect EFF will
have more to say about them.

Anyway, while the risks are small, some people are afraid of them, and some
people will make an informed choice not to take them even though they are
small.  It would therefore be desirable, but not necessary, for an open
wireless campaign to offer ways of reducing them further.

With VPNs, I believe there are a lot of things that a VPN operator could do to
reduce the chance of false accusations against itself and first-hop router
operators, and manage and reduce its own risks as an ISP.

> > The big question with VPNs is, can we get cheap enough bulk VPN provision
> > that anyone can get a VPN connection that is free or very cheap, and
> > extremely easy to configure?
> 
> Who is going to host these VPNs? Will they offer them for free? How will
> they afford to provide the service? How will they provide security at the
> termination point? How will they provide technical support? How will they
> deal with the liability that may then be shifted to them?

I think you are largely asking the same questions that I was, and I agree that
there would need to be a compelling answer before VPNs are considered
(although I'm not yet sure that no such answer is possible).  One extra
question you ask is "how will they provide security at the termination point"?
The answer is: you still need to use HTTPS/TLS/end-to-end encryption if you
want proper security.  All the VPN does is raise the cost of casual attacks.

-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the Tech mailing list