Is an open WiFi a legal risk to owner?

I often get the equivalent of the following question for both business and home users. The short answer is that you should never leave your WiFi routers open to all. This question comes from a lawyer concerned about his client:

Question: Client lives in an apartment. He has an open Wi-Fi connection in his apartment. Anyone living nearby could access the internet using his Wi-Fi. If someone accesses and or downloads child porn while using that Wi-Fi connection, would it come back to my client’s IP address?

Answer: If the WiFi router is also the Internet router then in the vast majority of configurations, the WiFi router masquerades user IP addresses behind the WiFi’s public IP address. This means that all activity between the user and Internet sites will be between the WiFi’s public IP address and the site. The Internet site’s logs will have no record of the user’s IP address itself but instead will have the WiFi router’s IP address. The WiFi’s IP address permits finding the physical location of your client’s WiFi router. This should be enough to get a subpoena of user’s PCs at the location.

To make the connection between the activity on the Internet site and the user themselves an investigator will have to do a little more. The WiFi router, even if its logging is turned on, will likely only show a table of IP addresses associated with MAC addresses. MAC addresses are unique to the network cards of each device (although even that can be spoofed). However, even with this information the WiFI router makes no record connecting specific Internet activity and the user’s real IP and MAC addresses.  This is where the subpoena of PCs comes in. Investigators will be hoping that the many traces left by the Internet activity are still on the PC.

The other alternative for an investigator is to connect to the same WiFi router in the hopes of monitoring the activity in real time. If successful and done while the user returns to the same sites, this monitoring from inside the WiFi network will reveal the user’s real IP address and the Internet activity as well as some information about the strength of the signal and a crude measure of distance between the investigator and the user being monitored.

If it turns out that your client is not the person the investigator is looking for they will still face the subpoena of user PCs because that is all the investigators will have to go on. Leaving their WiFi in an open state subjects them to the scrutiny that comes with any illegal activity performed through their WiFi router. It is far better that they do the minimum to secure their WiFi router. While it is still possible to break the encryption, abuse the use of a WiFi router, and cause all the above to happen that is significantly less likely when the WiFi router is properly secured.