Do you think twice before logging on to a Wi-Fi network at your
favorite coffee shop or at the airport, a convention center or
hotel? You should. When you log on using a third
party's network, you are only as secure as that network.
And who is it broadcasting that "FREE WI-FI" SSID
anyway? Could it be a criminal waiting to intercept private
information? Law enforcement authorities have warned for
years that criminals sometimes exploit Wi-Fi, including to target
hotel guests with phony "software updates" laced with
malware.[1] So if you know nothing about the
"GUEST" network you are offered, pause before depending
on it for electronic communications that could put your business or
personal data at risk. Risks like that may be a good reason
to depend on your own wireless tools when on the road.
Is the risk we just described reason enough for a hotel to take
electronic countermeasures, such as preventing guests from setting
up wireless networks on their property? A major hotel trade
association recently asked the Federal Communications Commission
for approval to do just that.
Some background. Last Fall the FCC's Enforcement Bureau,
investigating a consumer complaint, found that a Tennessee resort
hotel was using equipment to send "de-authentication
packets" to Wi-Fi Internet access points set up by third
parties and not part of the hotel's Wi-Fi system. The
complaint had alleged the property did this to force convention
exhibitors to purchase expensive Internet services from the hotel,
by preventing them from tethering computers to personal smartphones
or Mi-Fi devices.[2] The hotel initially defended the
practice as a cybersecurity measure intended to protect guests
"from rogue wireless hotspots that can cause degraded service,
insidious cyber-attacks and identity theft," but agreed to
cease the practice and pay a $600,000 fine. The property
owner was heavily criticized in the press and court of public
opinion, but few commentators delved into the legal issue raised by
the FCC. Was it really unlawful for the hotel to protect its
network on private property using FCC-authorized
equipment?
The Communications Act prohibits willful or malicious interference
with "radio communications" of any "station"
licensed or authorized by the Act. Is a personal access
point, which is unlicensed, a "station" protected from
interference?
As it turns out, the enforcement action occurred against the
backdrop of an FCC petition filed by the American Hotel &
Lodging Association, along with Marriott International and Ryman
Hospitality. Those parties asked the FCC to find that it is
not a violation of the Federal Communications Act to interfere with
a hotel guest's personal hotspot as an incident to managing its
own Wi-Fi network. The petition claimed the practice could
protect hotel guests from signal interception, unauthorized network
access, and "man-in-the middle" attacks where legitimate
Wi-Fi access points are "spoofed" by an
"intruder" intending to steal information from
unsuspecting guests trying to logon to the hotel's own wireless
network.
The FCC's Wireless Bureau asked for and received numerous
comments, from the likes of Microsoft, Google, the cable industry,
equipment providers such as Cisco, and Hilton Hotels.
Opposition was strong. A national cable industry association
claimed the hotel industry was seeking "the ability to disrupt
the wireless communications of anyone whose Wi-Fi signal competes
for spectrum with a venue owner's own access points or
otherwise behaves in a manner inconsistent with the owner's
business objectives." The wireless carrier industry
expressed some sympathy for the need to maintain network security,
but said Wi-Fi operators cannot "deputize themselves to
police" the unlicensed radiofrequency environment occupied by
Wi-Fi devices. Google cited legislative history in support of
its claim that blocking violated federal law, as well as the public
interest. On the other hand, Hilton Hotels claimed that
network management that interfered with customer access points was
practically an essential cybersecurity requirement.
We won't see an FCC order addressing the interesting legal
question posed by the petition. The hotel interests withdrew
their petition on January 30 and the FCC dismissed it by order on
February 13. Meanwhile, the FCC's Enforcement Bureau
reiterated in a late January press release: "No hotel,
convention center, or other commercial establishment or the network
operator providing services at such establishments may
intentionally block or disrupt personal Wi-Fi hot spots on such
premises, including as part of an effort to force consumers to
purchase access to the property owner's Wi Fi
network."
We think it's worth asking whether this was a battle worth
winning. After all, hotels survive when guests are
satisfied. A legal "win" in favor of blocking that
appears more anti-consumer than privacy protective could result in
poor publicity for the industry. Amid the heated rhetoric
over the industry's motives for filing its petition, it was
easy for the mainstream press to lose sight of the real risks
to travelers who depend on wireless access in public
locations. Those issues are real. Regardless, the 2014
enforcement proceeding had cast a long shadow, and that may be the
reason the industry decided to check out early at the
FCC.
[2] Marriott International, Inc., Marriott Hotel Services, Inc., Consent Decree, 29 FCC Rcd. 11760, ¶¶ 5-6 (2014)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.