During a conversation last year with a Houston-based network administrator, I asked, “Is wire sniffing at some random public WiFi hotspot illegal?” “No, not at all. It’s just passive…and besides, anyone stupid enough to pass their sensitive information over an unsecure network gets what they deserve.” As it turns out, he was wrong, but he’s not alone in his confusion.
A quick search shows that many other people are curious about the legality of packet sniffing, but that the advice they get is contradictory. According to Ohm, Sicker, and Grunwald (2007), some of the top justifications for sniffing without consent include:
• “It’s my network, so I can do whatever I want.”
• “The network wiretapping laws have an exception for academic research.”
• “Packet sniffing is legal so long as you filter out data after the 48th (or 96th or 128th byte)”
• “Capturing content may be illegal, but capturing non-content is fine”
• “We’re not breaking the law because we’ve anonymized the data”
• “Data sent over a wireless network is available to the public, so capturing it is legal.” (Ohm, 2007 p. 1)
Ultimately, the court of law, not the court of public opinion, is the deciding factor in legality. So why isn’t the issue clear cut and widely known? The laws that govern packet sniffing, the Federal Wiretap Act and the Pen Register and Trap and Trace Act, were written more than 50 years ago and were meant to apply to the wire tapping of phones. Later, in 1986, packet transmissions were added to the list of covered communications. The Patriot Act of 2001 also amended the body of law. Between this patchwork of jury rigged laws and the legitimate exceptions to the law, it is often unclear what restrictions apply to which activities.
It is fairly simply to see that gathering content, such as chat communications and emails, is unethical; its pure illegality is defined by the Federal Wiretap Act of 1968. However, some believe that there are no laws covering non-content such as headers of HTTP requests and emails, and prior to 2001 this was in fact the case. After the Patriot Act of 2001 amended the Pen Register and Trap and Trace Act, that loophole was closed. Exceptions to this can be made for network administrators (via the Electronic Communications Privacy Act) that use packet sniffing solely for monitoring purposes and for law enforcement officials.
How, then, can one legally sniff a network? Only by the consent of all users being monitored. In some states, such as Texas, implicit consent may be obtained when the law only requires one party of a communication to be notified. However, it would be best to assume that explicit consent of both parties is required from at least an ethical standpoint.
It is easy to assume that in this day and age, most reputable websites would engage in some form of secure transmissions of sensitive data. Indeed, when I used WireShark to view network traffic during the login procedures at major websites such...