Following the FCC’s warning in January that it would no longer tolerate the Marriotts of the world blocking visitors’ WiFi hotspots, I set a reminder on my calendar to revisit the topic six months later. After all, the issue of WiFi blocking sparked strong reactions from IT pros, end users and vendors of wireless LAN products early in the year, and I figured it wasn’t over yet.
So I started by making an inquiry directly to Marriott Global CIO Bruce Hoffmeister, who foisted me on to a company spokesman, who “respectfully declined” to connect me with anyone for an update on how Marriott is now dealing with perceived threats to its network. He simply directed me back to Marriott’s statement from January that it would behave itself, no doubt hoping the hotel chain could further distance itself from the $600K fine that the FCC hit it with, as well as the rest of the bad publicity. I also inquired at the FCC, which in Marriott-like fashion, referred me back to the agency’s last statement on the matter from January, and in a follow up, said it can’t comment on whether any new investigations are underway. Most of the WLAN vendors and administrators were pretty quiet, too when I made the rounds a few weeks back.
While all this was demoralizing, my intuition about this story still having legs was validated last week (while I was on vacation, of course) when the FCC slapped an Internet service provider called Smart City with a $750,000 fine for pulling a Marriott at several locations and blocking personal WiFi hotspots. Smart City was found not be protecting its network against any specific security threat, but rather, trying to force people to pay for its Internet service.
So despite Marriott’s best efforts, the hotel chain’s past shenanigans were dredged up again in coverage of the Smart City story. Because now all of a sudden, everyone’s talking again.
One vendor spokesman expressed surprise that the FCC had once again levied a big fine on a WiFi blocker: “Trying to control and govern the unlicensed spectrum is a tall order, especially in venues and public areas."
One university network architect, Lee Badman, published an open letter to the FCC on his blog following the FCC's Smart City order in which he says “as a WLAN professional I implore you to recognize that these actions are creating significant amounts of confusion for enterprise Wi-Fi environments and those of us who keep them operational for the millions of business clients that use them every day.” He goes on to list 5 big questions hanging over the WLAN space in the wake of the latest FCC ruling on WiFi blocking.
Among the things Badman’s peers are worried about or are wondering about:
*Does using frequency blocking material in building design constitute WiFi blocking in a passive way?
*Does getting end users to agree to acceptable use policies (AUPs) protect WLAN operators from getting busted for WiFi blocking?
*How can the de-auth/mitigation tools sold by WLAN vendors be used legally?
Some users would also like to see WLAN vendors band together and get clearer answers about what customers can and can’t do in terms of WiFi security and management. And in fact, some vendors have been working at least in the hospitality industry to come up with best practices for successful WiFi deployments. The Hotel Technology Next Generation association, which includes Marriott among its members, issued a WiFi roadmap in April, that while only touching on the topic of blocking tools, looks like it has some potential to help organizations stay on the right side of the law. (Meanwhile, the American Hotel & Lodging Association, a hospitality industry group that sided with Marriott’s right to block users of personal Wi-Fi hotspots, claims to have formed a Cybersecurity Task Force but did not reply to my inquiries earlier this month about whether the task force has in fact been formed or accomplished anything yet.)
PLEASE, PLEASE, PLEASE FCC
One WLAN vendor that isn’t shying away from the WiFi blocking topic is Xirrus. CEO Shane Buckley told me this week that: “Our feedback to the FCC has been please, please, please look at this very carefully. There are lots of good reasons why WiFi blocking is a requirement in certain markets and a distinct benefit from a security perspective in others.”
Buckley suggests that the FCC should allow Wi-Fi blocking at least in the interim, and then “re-open the discussion on the use of this technology and clarify when its use is practical and acceptable. Wi-Fi vendors also need to collaborate to come up with better security mechanisms in public Wi-Fi networks.” He acknowledges that the topic is complicated given that we're talking about unlicensed spectrum that's free for anyone to use.
Xirrus is especially passionate about K-12 schools being able to use WiFi blocking (rogue AP protection/mitigation) to protect students from accessing unfiltered Internet content – protections that the schools have put in place to comply with federal laws designed to safeguard children. Though Buckley says this could also apply to public access Wi-Fi environments, such as cafes, airports and public libraries where you don’t want people potentially “displaying illicit content on their devices” in full view of others.
Buckley stresses that one reason public WLAN operators need to be able to have security tools such as WiFi blocking at their disposal is because such networks can attract schemers who set up bogus hotspots to lure unsuspecting users, say those in a hotel lobby or convention center, to share sensitive personal information. One question then becomes whether a hotel not blocking WiFi could get sued for a guest getting phished after logging onto what he or she thought was the hotel’s network.
While Buckley would very much like to see further dialogue with the FCC take place, Xirrus isn’t waiting around for that to happen either. He says that in a few weeks the company is coming out with technology that will greatly bolster public WLAN network security. “WiFi blocking is another tool that can be used to protect users, but let’s not forget that security is all about defense in depth. You can’t rely on just one layer.”