The economics of freeloading on wireless networks

| Comments (10) |
Today's NYT has an article about the now common practice of freeloading off other people's insecure wireless networks. Unfortunately, they don't do that great a job of explaining why you would or would not want people using your wireless network. For instance:
Martha Liliana Ramirez, who lives in Miami, said she had not thought much about securing her $100-a-month Internet connection until recently. Last August, Ms. Ramirez, 31, a real estate agent, discovered a man camped outside her condominium with a laptop pointed at her building.

When Ms. Ramirez asked the man what he was doing, he said he was stealing a wireless Internet connection because he did not have one at home. She was amused but later had an unsettling thought: "Oh my God. He could be stealing my signal."

What the heck does stealing your signal mean? The first thing you need to realize is that almost everyone's Internet connection pricing is flat rate. So, if someone else is using your Internet connection it doesn't cost you money at all. This is quite different from (say) your cell phone, which is probably charged by the minute.

They might, however, be stealing your performance. Your home Internet connection--like the Internet in general--operates on the principle of statistical multiplexing. Say you have a typical 1.5 Mbps DSL line. In principle, you could be moving 1.5 Mbps worth of data at all times but in practice you're not. Most of the time you're not using the Internet at all and even when you are, mostly you're doing fairly bursty stuff. For instance, when you click on a Web page there's a burst of activity while it downloads and then nothing while you're reading it. Even if you're doing something real-time like VoIP, you're only talking some fraction of the time and your softphone can do silence suppression and not send send any data if you're not talking.

Pretty much the only applications that load your Internet connection continuously are bulk data transfers like file downloads. Even then, the limiting factor is often the bandwidth of the site you're downloading from rather than your home line. If the offered load from the site is only 500 kbps, then you have 1 Mbps that is available for other applications. The point here is that most people's network connections have lots of spare capacity, so that you mostly don't notice if a few other people are using your network. And remember that their traffic is bursty too, so the only time you'll see a slowdown is if you're trying to use a lot of bandwidth at the same time they are--or if there are so many freeloaders that they generate a high average load.

Of course, that's not the end of the story, because your ISP uses the same principle to size their network. Say you're an ISP with 1000 customers each of which has a 1.5 Mbps line. In principle, you need a 1.5 Gbps line to the rest of the Internet in order to serve all of them simultaneously, but in practice they never all demand full bandwidth simultaneously so you can get away with a much smaller line. The degree to which an ISP can underprovision their network is mostly governed by the actual fraction of their connections that their customers use. If customers do a lot of high volume data transfers then the ISPs need to buy more uplink capacity. Similarly, if a bunch of people are sharing your connection, then the overall load on your connection increases and so does the amount of bandwidth the ISP has to allocate to service you.

The ISP's pricing model is premised on certain assumptions about how you're going to use your Internet connection. One of those assumption is that the connection will only be used by the people in an individual household. If that assumption is wrong, then, the ISPs pricing model is also wrong.

Of course, at some level this is the ISP's problem, not yours. On the other hand, this is a classic public good problem: if there's a high rate of freeloading--and if the freeloaders don't buy their own lines--then this drives up ISP's costs and eventually the costs to the people who do pay for their Internet connection. But like many such public good problems, the effect of your behavior (allowing freeloading or not) on your costs (in this case the cost of your Internet connection) is near zero, so you have very little incentive to stop freeloading as long as your performance is acceptable.1 Note that ISPs generally often prohibit this kind of connection sharing if it's intentional but it's not entirely clear that just having an open network qualifies, and given how common they are, it's not like the ISP has much recourse except to threaten to cut you off.

I'm kind of skeptical that this kind of connection sharing has become a major problem for the ISPs, but if it does, they'll need to find some way to incentivize consumers not to share their connections. Among the possible approaches would be:

  • Offer customers free wireless routers that have security turned on by default. The reason that its so easy to use other people's connections is that most Access Points (APs) ship open by default. Just having security on by default would make this a lot harder.
  • Try to detect when connections are being shared and penalize the customer. This is harder than it sounds because typical APs make all the computers behind them look like a single computer. However, there are techniques that would give you some leverage here.
  • Metered pricing Most people have flat-fee charging which is why they don't care about freeloaders. If they paid by the byte moved they would immediately have an incentive to stop other people from using they connection. Historically consumers have been very resistant to non-flat-rate pricing, so this would probably be difficult to impose.

Of course yet another alternative would be to spread a bunch of FUD about how unsafe it is to let people use your wireless network. One of the most common variants of this is that you might get falsely accused of downloading contraband material that your neighbors were responsible. On the other hand, demonstrating that you're running an open AP seems like a pretty good defense on this score. Indeed, it's a potential defense even if you were the one at fault.

1. Yes, I'm quite aware that there are security arguments for why you should secure your wireless connection in order to protect your own computer. I'm not sure I find this that convincing--if you're connecting your computer to the Internet you need to secure it, whether or not you have an open wireless AP--but in any case they're a bit off topic for this post.


Is the counting-NATed-hosts approach really workable? Unless your AP is attracting a lot of users, there's not going to be any way for the ISP to distinguish legitimate from illegitimate use. The alternative, of course, is for ISPs to "wardrive" their own customers; however, I suspect this is not cost-effective under normal circumstances....

The far better solution is to respect the spirit of Net and leave your customers the fuck alone.

And, if you want to do metering, I can always watch TV like I used to in 1996. There's a reason why the surviving metered service providers - essentially the mobile netops - have infinitesimal uptake.

I've had users' home machines and laptops compromised via their wireless access points before. They were protecting themselves against network worms with the firewall on their cablemodem/router. That worked fine as long as no malware was on the inside of the firewall.

That assumption breaks down when a neighbor unintentionally associates with my users' new access point instead of their own (common), or some wandering stranger happens by seeking a connection (less common).

That said, the whole point of wifi is open networking; it's the original motivation. And, as you note, it's great plausible deniability.

The personal firewall of Joe-user will allow for different security levels depending on whether the remote host is in the LAN or outside. So attacks from within the LAN have probably more chances succeed.

I think that you are missing the biggest culprit: upstream bandwidth. If you have an asymmetric connection like a cable modem, then someone using VoIP or hosting bittorrent files through your connection can kill your ability to do so.

This is a sky-is-falling non-problem. It is most unfortunate that the telephone companies have used their defacto monopolistic positions to emerge as the leading broadband providers. They have never shed their monopolistic ways.

Those of us old enough to remember will recall when according to "The Phone Company", the sky would surely fall if one installed his own extension phone, used a non-Western-Electric phone, did his own wiring, didn't pay for "inside maintenance", used a data modem on a voice line or God Forbid, if were there to be any actual competition. The sky is still up there and working fine, of course.

AT&T has become nothing more than a trademark because they could not shed monopoly-think and compete in the free marketplace. The same thing would happen to local Bells if we could ever elect a Congress not bought and paid for which would force real local competition.

The bastard stepsister of monopoly is absolute control. The real problem is NOT too much bandwidth being used - after all I'm renting a pipe of a certain size and whether I use it just a little or a lot, it's my pipe - but the old fashioned issue of The Phone Company (and ITS bastard stepsister, The Cable Company) not being able to exert absolute control over its customers. No different than when The Phone Company would send out The Phone Police to force one to disconnect that "Illegal" extension phone.

As a former ISP owner/operator I can say that the strawman about aggregate bandwidth use is bunk. We used to plan for 80% usage by our subscribers - much more than the industry standard - and we STILL made money hands-over-fists. Bandwidth is but fraction of the cost when I was doing it so the profit margins are even greater.

It is NOT financial and it is NOT bandwidth usage. It's about control - nothing more, nothing less. As such, ISP claims of "problems" should be rejected out of hand.

Open WiFi is one of the best things to happen to the net. Let's make sure the monopolists adn their minions in Congress don't screw with it.


I agree it's all about control.

Legal issues might be a huge problem. If your P2P-using neighbor who's 'stealing' your network connection is tracked by the RIAA, it's you who'd eventually be held responsible. Worse, think trading of him trading child pornography. You want to know who your users are, unless you cannot be held responsible.

I wonder what open AP providers think about this. How do you prevent somebody from wardriving with a faked MAC to use other people's open AP for, say, trading child pornography. I guess you don't.

Ah, the child porn flag. It always comes out. Here the idea seems to be that we should be responsible for children being abused if someone uses our internet connection to send or receive it? Okay, so then the logical conclusion is that if we all stop sharing our internet connection then child porn is going to be stopped, to some degree, by our actions?

Sounds like hubris to me. Do child abusers stop if they can't share easily on the internet? Or do they find another way to access? Does internet sharing matter so much to them that they stop abusing kids? And, more interesting and important, how would you know? Less on the internet? Even if you can't find new child porn on the internet anymore, how do you know that shutting down access has had any impact on child abuse at all? Just because it isn't on the internet doesn't mean it isn't true. It is just a theory, a belief.

And the casualty is public access because as soon as enough people are willing to suspend critical functioning long enough to accept that as a valid argument, then we have a reason to start restricting and controlling access - not just AP, but all access. This is the way it is done, we assume responsibility for the bad guys and sacrifice our freedoms because the bad guys out there are abusing their freedoms, and we do it with the best of intentions. The next step is an internet license, like China, so that your access can be monitored and, effectively, restricted. Anonymity will be gone, chilling effect in place, the ability of Joe-User to state an opinion without repercussion an interesting historical fact. And if licenses cost money, well, disenfranchisement based on how much.

If restriction is what one wants, then do it, but do it as a volunteer organization of people who volunteer to lockup their AP for the public good. Get publicity, get additional like-minded volunteers, feel good about one's choices, all that kinda stuff. Later, one can consider a volunteer license idea. Because the alternative to that, making laws to enforce a belief, takes away my ability to make a choice to not believe (in) that and act accordingly. And I think I should have that choice for very fundamental human rights and freedom reasons. If you agree then you need to protect my rights to make my own choices as I protect yours because despite the fine words bandied about in fine documents, it is not a God-given right - it is something that we give to each other.

And, worse, your belief could be wrong and then I have to help clean up the mess.


BTW, in legal opinions that I have read, the pornography laws from which US laws originate had nothing to do with sex, child or otherwise. They addressed publications that might confuse the truth in young minds. In other words, they somewhat filled, some of the gap, between free speech and slander in Victorian England so that supressing publications based on ideas was acceptable. Only later was sex the new definition of pornography. It belongs in the category of tools, for better or worse, used to control information.

If you're worried about people accessing your own LAN, turn on "Access Point Isolation" or something similar (that's what Linksys calls it, I have a Linksys router/AP)
There are other ways you can set rules to prevent them from accessing the computers in your LAN.

This prevents computers from accessing each other, who connect from the outside, they can only get out to the internet.

As for the issue of upload bandwidth, I can understand that, if someone from the outside starts using Bittorrent, it will kill your upload.
However many routers also have settings that throttle the bandwidth usage.

Even if yours doesn't, in many cases it's possible to run a modified firmware that might allow you to do more configuration (I know Linksys even released the source code of the firmware for their Linux routers, so if you can program, you can make your firmware do anything you want).

From a personal and professional standpoint, my biggest worry is open home networks. I've serviced multiple networks where each workstation has a shared folder (or even entire drives). Even if these aren't broadcast, simple tracking software can net workgroup name, workstation name, profile name, mapped drive letter, and real path/drive letter. Once this is known, it's a simple task to log onto an open wi-fi, map the network folder, and a stranger now has access to files. I've done this myself with clients to minimize security holes. To make matters worse, some home networks allow access-side to make changes to the host drive, for easier sharing on a network.

Classic example from one client, she has her PC in the living room, and her son has a PC on the other side of the house. Instead of getting a voice network, they both share their desktop directories with access change allowed. If she wants to leave him a note, she writes a document and drops it on his desktop through a mapped drive. Stranger A walks by, logs into their open WiFi, picks up one of these transmittions, and now has access to their desktops and, with little effort, the rest of their profile folders. Now think if that client were sharing whole drives.

Open Wi-Fi is great and should be encouraged, but NOT if any home file sharing/netowrking is going on, unless IP firewalls are set to deny all local network addresses except those that will be sharing, and making sure these permitted addresses are static and not reassignable when those workstations are turned off or otherwise missing from the network. Not all security concerns are bunk.

Leave a comment