Piggybacking refers to access of a wireless Internet connection by bringing one's own laptop computer within the range of another's wireless connection, and using that service without the subscriber's explicit permission or knowledge.
It is a legally and ethically controversial practice, with laws that vary by jurisdiction around the world. While completely outlawed or regulated in some places, it is permitted in others.
Laws regarding "unauthorized access of a computer network" exist in many legal codes, including the U.S. federal government, all 50 U.S. states, and other countries, though the wording and meaning differ from one to the next. However, the interpretation of terms like "access" and "authorization" is not clear, and there is no general agreement on whether piggybacking (intentional access of an open Wi-Fi network without harmful intent) falls under this classification. Some jurisdictions prohibit it, some permit it, and others are not well-defined.
For example, a common but untested argument is that the 802.11 and DHCP protocols operate on behalf of the owner, implicitly requesting permission to access the network, which the wireless router then authorizes. (This would not apply if the user has other reason to know that their use is unauthorized, such as a verbal or written notice.)
In 2003, the New Hampshire House Billwas proposed, which would clarify that the duty to secure the wireless network lies with the network owner, instead of criminalizing the automatic access of open networks.It was passed by the New Hampshire House in March 2003, but was not signed into law. The current wording of the law provides some affirmative defenses for use of a network that is not explicitly authorized:
I. A person is guilty of the computer crime of unauthorized access to a computer or computer network when, knowing that the person is not authorized to do so, he or she knowingly accesses or causes to be accessed any computer or computer network without authorization. It shall be an affirmative defense to a prosecution for unauthorized access to a computer or computer network that:
- (a) The person reasonably believed that the owner of the computer or computer network, or a person empowered to license access thereto, had authorized him or her to access; or
- (b) The person reasonably believed that the owner of the computer or computer network, or a person empowered to license access thereto, would have authorized the person to access without payment of any consideration; or
- (c) The person reasonably could not have known that his or her access was unauthorized.
There are additional proviions in the NH law, Section 638:17 Computer Related Offenses, as found by searching NH RSA's in December 2009. They cover actual use of someone else's computer rather than simply 'access':
II. A person is guilty of the computer crime of theft of computer services when he or she knowingly accesses or causes to be accessed or otherwise uses or causes to be used a computer or computer network with the purpose of obtaining unauthorized computer services.
III. A person is guilty of the computer crime of interruption of computer services when the person, without authorization, knowingly or recklessly disrupts or degrades or causes the disruption or degradation of computer services or denies or causes the denial of computer services to an authorized user of a computer or computer network.
IV. A person is guilty of the computer crime of misuse of computer or computer network information when:(a) As a result of his or her accessing or causing to be accessed a computer or computer network, the person knowingly makes or causes to be made an unauthorized display, use, disclosure, or copy, in any form, of data residing in, communicated by, or produced by a computer or computer network; or (b) The person knowingly or recklessly and without authorization: (1) Alters, deletes, tampers with, damages, destroys, or takes data intended for use by a computer or computer network, whether residing within or external to a computer or computer network; or (2) Intercepts or adds to data residing within a computer or computer network; or (c) The person knowingly receives or retains data obtained in violation of subparagraph (a) or (b) of this paragraph; or (d) The person knowingly uses or discloses any data he or she knows or believes was obtained in violation of subparagraph (a) or (b) of this paragraph.
V. A person is guilty of the computer crime of destruction of computer equipment when he or she, without authorization, knowingly or recklessly tampers with, takes, transfers, conceals, alters, damages, or destroys any equipment used in a computer or computer network, or knowingly or recklessly causes any of the foregoing to occur.
New York law is the most permissive. The statute against unauthorized access only applies when the network "is equipped or programmed with any device or coding system, a function of which is to prevent the unauthorized use of said computer or computer system".] In other words, the use of a network would only be considered unauthorized and illegal if the network owner had enabled encryption or password protection and the user bypassed this protection, or when the owner has explicitly given notice that use of the network is prohibited, either orally or in writing. Westchester County passed a law, taking effect in October 2006, that prohibits commercial networks from being operated without a firewall, SSID broadcasting disabled, and a non-default SSID, in an effort to fight identity theft. Businesses that do not secure their networks in this way face a $500 fine. The law has been criticized as being ineffectual against actual identity thieves and punishing businesses like coffee houses for normal business practices