Marriott plans to block personal wifi hotspots
The hotel chain petitioned the FCC for changes that could let venues shut down personal networks. Microsoft, Google, and the cell industry are opposed.
Marriott is fighting for its right to block personal or mobile Wi-Fi hotspots—and claims that it’s for our own good.
The hotel chain and some others have a petition before the FCC to amend or clarify the rules that cover interference for unlicensed spectrum bands. They hope to gain the right to use network-management tools to quash Wi-Fi networks on their premises that they don’t approve of. In its view, this is necessary to ensure customer security and to protect children.
The petition, filed in August and strewn with technical mistakes, has received a number of formally filed comments from large organizations in recent weeks. If Marriott’s petition were to succeed, we’d likely see hotels that charge guests and convention centers that charge exhibitors flipping switches to shut down any Wi-Fi not operated by the venue. The American hotel industry's trade group is a co-filer of the petition, and Hilton submitted a comment in support: this isn't just Marriott talking.
But there are big guns in opposition, including Google, Microsoft, and the cell industry’s trade group, the CTIA. Even Cisco’s “support” of the Marriott petition seeks to minimize the extent to which a rule clarification would affect most users.
Earlier in 2014, the FCC fined Marriott for jamming the Wi-Fi networks of guests, exhibitors, and others at the Gaylord Opryland resort in Nashville. The hotel chain agreed to pay the FCC $600,000 in fines and create a compliance plan, with regularly filed updates, for all its properties.
Anyone can comment on this matter—click Submit a Filing—not only giant companies. Despite the FCC’s bad track record on media consolidation, fighting for strong network neutrality, and other issues, the agency does quite well in preserving consumer rights relative to spectrum use and cellular carriers, even if its actions in favor of consumers take far too long. FCC orders often cite comments by individuals and the quantity of responses—in fact, this whole mess got started because of a single person's complaint.
Unlicensed networks’ massive success
Wi-Fi operates in America in two unlicensed bands: 2.4 gigahertz (GHz) and 5 GHz. (The bands and rules are similar or identical in most of the rest of the world, too.) These unlicensed bands, along with a few others, allow the use of FCC-tested and -approved devices without a license on the part of the person operating the equipment, whether a Bluetooth headset or a Wi-Fi base station.
These Part 15 devices, so-called by the FCC rules under which they operate, have been massively successful in the U.S. and worldwide. Billions of gadgets use 2.4 GHz and 5 GHz radios—most of them running one of several generations of Bluetooth or Wi-Fi—dating back to the late 1990s.
But the fundamental rule of unlicensed spectrum is that devices need to expect and accept that interference exists. Radio techniques and network protocols have all been designed to produce as much co-existence as possible to maximize the utility of the spectrum. (Interference is sometimes defined as information that’s beyond the sensitivity of the receiver that’s trying to interpret it.)
Because there are no primary licensed users of these bands, everyone has to play nice, and the FCC enforces those rules fairly well. No one owns the spectrum, and thus everyone has seemingly equal rights to it. This has been upheld in FCC rulings repeatedly over the years. (One exception: amateur radio users and a few other kinds of technology, including TV vans that send video from the field back to a studio, have licensed uses of the band, but they are limited in scope and number.)
Nobody owns unlicensed use of the bands. Nobody can tell you nor can you tell anyone else how to use the bands. Nobody can operate similar equipment that prevents your use of the bands.
So far, so good. Now on to Marriott’s ersatz jamming behavior.
Smacking down alleged rogues
Marriot's earlier customer-jamming scheme wasn’t accomplished through radio interference. Radio jammers, though widely available, are illegal in the U.S. and most countries. Truck drivers use them to suppress GPS reception and avoid being well-tracked by employers. Some venues use them to prevent cellular phone usage. Rather, Marriott used wireless network management software and hardware that can monitor a combination of logical stuff (how a Wi-Fi network is being used to identify problems or bad behavior) and physical stuff (the spectrum in use by what devices and base stations).
This software can mitigate network problems by shutting down bad players. For instance, a government facility, a corporation, or a school might have varied reasons for not wanting anyone on site to operate a separate Wi-Fi network outside the ones directly managed, because it might leak secure information, offer outside access into a protected network, or allow students to see material in contravention of school or government rules.
Such a network could be a Wi-Fi base station plugged into an Ethernet port, a software base station created by a computer connected to the network, or a personal or mobile hotspot connected via a cellular data network. These networks might be created by those who don’t know about or agree with a security policy, or for a malicious purpose, such as creating an “evil twin” or “honeyspot” network that resembles a legitimate network to pull in wireless connections and then sniff and misdirect them to extract data.
Rogue AP detection and mitigation relies on the fact that much of the handshaking between devices in Wi-Fi connections isn’t validated. A network-management system can prevent clients from associating with Wi-Fi networks under its control in a number of ways, but they can also block wireless devices from connecting with other networks that are in range. This typically involves sending deauthentication frames—frames are data packets in the wireless world—that either or both spoof the client or base station. (This is also a way to launch a denial-of-service attack, by a rogue hotspot spewing out such frames against legitimate local usage.)
These defensive systems have been available for at least a decade. They are widely deployed and used for the reasons cited above. And there’s never been a ruling by the FCC nor by federal courts as to whether they operate within the FCC’s rules.
The FCC reserves all rights to the regulation of wireless spectrum to itself. Even licensed owners of spectrum—such as cellular networks—aren’t allowed to employ techniques to jam other users. Rather, they pull in enforcement from the FCC, which tracks down, shuts down, fines, and even proffers criminal charges against violators.
Marriott is asking, therefore, for a unique right: the right to police spectrum privately based on property rights. As Cisco put it in its comment, “Wi-Fi operators may not ‘deputize’ themselves to police the Part 15 radio frequency environment.”
Which parties are at this table, anyway?
This petition represents the collision of multiple, competing interests, some of whom are customers or suppliers to each other.
Marriott and other hospitality and convention businesses want to preserve their ability to have a locked-in audience for which they can set arbitrary rates for Internet access. If these groups didn’t charge exorbitant rates, their arguments about network management would carry more water. As one commenter to the FCC, Glen E. Ashman, noted, “This is simply a ploy to force guests to pay extra for premium service.” (Marriott posted a statement on December 30 stating that its petition is entirely about protecting its conference and meeting spaces. However, the petition doesn't limit discussion in any way to just those areas. The settlement paid to the FCC in October also specifically covers blocking personal use of hotspots by guests.)
Mobile operating system makers and cellular networks have every motivation to let their customers use personal hotspots on phones and tablets, as well as mobile hotspots from NetGear and others, because such accessibility encourages people to buy higher-usage plans or pay overage fees, and emphasizes the utility of the network, especially the new 4G LTE networks which may be far faster than a hotel’s service. The CTIA in its comment wrote, “…all Part 15 devices, including mobile devices that incorporate Part 15 capabilities, have equal rights to use unlicensed spectrum; no single entity may intentionally prevent others from using that spectrum.”
Companies that sell to corporate, government, and academic markets, as well as IT people running systems in those markets, are nervous. There is no current regulatory structure under which they knock rogue APs off networks operated on or near their premises. If the FCC were to issue a response to Marriott’s petition that banned all forms of deauthentication against non-authorized networks, this reduces the effectiveness of these products and opens customers to legal liability as long as the current generation of software is still running. This is why Cisco filed a comment rejecting Marriott’s general position, but supporting the notion of mitigation.
So far, there’s no organization representing consumers, small businesses, trade-show exhibitors, or business travellers that has submitted a comment, though a couple dozen individuals have. The affected parties are these groups. The original complaint against Marriott came from a savvy business traveller who saw what was up. Should Marriott get what it wants, we’d all have to use hotel or convention Wi-Fi; portable hotspots would fail, and our cell phones' Wi-Fi sharing would be disabled, though USB and Bluetooth tethering would continue to work.
There’s also no representation from businesses and people adjacent to hospitality operations. If a hotel is in a city, how can it possibly protect just its own network without disabling all the dozens of networks around it without whitelisting those networks—in effect, requiring neighbors to register with them.
Clear the interference
The petition and a few of the supporting comments out of 42 filed by citizens, groups, and companies, get into the meaning of interference under the FCC’s Section 333, the regulation used by the agency to fine and put in place an order against Marriott. The petition wants the FCC to declare an affirmative right for property owners to be able to suppress Wi-Fi networks on the basis of “security and reliability.”
But the petition misstates many things. It cites on page 10 and 11 and in Appendix A how universities “employ various techniques to ensure network performance,” but then exclusively refers to policies and actions that apply only to the use of Wi-Fi networks operated by the institutions—not other Wi-Fi networks on campus. That was so egregious that Brown University filed a comment explaining that Marriott et al. had gotten it wrong.
On page 12, it makes multiple ridiculous technical boners. It implies that only three nonoverlapping 2.4 GHz channels can be used effectively in the same space by calling them “non-interfering”; this is technically and practically incorrect. It also says that the 5 GHz band has just four non-overlapping channels—but the number is actually eight. The basic channel width for 5 GHz is 20 MHz, of which there are 23 non-overlapping channels available, although many base stations only support eight of those. Between 2.4 GHz and 5 GHz there are 11 completely clear channels, and as many as 34 with some provisos. (802.11n and 802.11ac can pair up 20 MHz channels for more throughput, but it's dynamic: it occurs only when there aren't competing uses that it can detect.)
It gets even more tendentious as it goes on, noting in one place that the FCC failure to act could mean, “a hotel could decide to prohibit guests from bringing Part 15 devices on the hotel’s property.” Uh huh. That would mean bag searches to prevent cellular phones, wireless headsets computers, portable game systems, and tablets from being brought into a hotel. Maybe a search every time you re-enter the hotel of every guest and visitor. Or active monitoring and a knock on the door: "Hotel Wi-Fi detective! Open up!" Right.
But beyond the technical errors and absurd scenarios, Marriott’s petition is prima facie incompetent because it is trying to claim rights that nobody possesses, no matter what contortions it puts itself into. “Those who wish exclusive use of spectrum can buy some,” wrote Arnold G. Reinhold in a comment; he received his first amateur radio license in 1957. Reinhold’s succinct statement is apt: the use of unlicensed bands is predicated on the notion that nobody owns them. Marriott’s assertion of the right to cause “interference” as part of its property rights is found nowhere in FCC rules or court decisions. If you want exclusive rights, then you buy spectrum. Wi-Fi usage isn’t exclusive, and thus you can’t enforce exclusive geographic rights.
Cisco argues for a middle ground that protects its corporate clients on campuses and in buildings, but would not allow Marriott its particular use case:
Unlicensed spectrum generally should be open and available to all who wish to make use of it, but access to unlicensed spectrum resources can and should be balanced against the need to protect networks, data and devices from security threats and potentially other limited network management concerns.
For example, in public places or places where the public is routinely invited, users have every reason to expect that they can make use of personal hot spot technology, unless the user’s device is presenting a security threat of some type to the co-located enterprise or service provider Wi-Fi network.
That balance shifts in enterprise locations, where many entities use their Wi-Fi networks to convey company confidential information, trade secrets, and for the safety and security of the firm and its employees.
That’s pretty language, but these qualifications and the kinds of situations I cited earlier are not defined as carveouts for unlicensed spectrum. But there are no exceptions; Cisco wants the FCC to create them.
Businesses and other venues can have policies for visitors and employees, and escort guests out or fire workers for violating restrictions on setting up Wi-Fi networks. Corporate networks with the capability of detecting and blocking ostensible rogue Wi-Fi networks can also prevent the computers on the network from being able to run software base stations and lock down Ethernet (through several means) to prevent just plugging one in. The tools that mitigate can also physically pinpoint the rogue operation, to allow security or managers to descend upon the location. Students can be suspended or expelled if found out, if there's a policy. All these options already exist.
Cisco and others also want to argue that preventing other networks from operating is not interference, even though the functional outcome is precisely the same. The supporters and opponents in comments fight over whether radio-frequency “interference” can include offensive network management practices which require impersonating another device. The FCC will have to make a determination, and courts beyond that, if parties aren’t satisfied.
What’s all the static
Why make such a fuss about something that appears to be money-grubbing activity (or, charitably, careful management of one revenue stream out of many required for profitability) by hospitality organizations? The least-expensive hotel chains, like Best Western, include Wi-Fi at no cost. The more expensive the hotel, the more likely you have to pay, unless you’re a member of the hotel’s loyalty club or possess its branded credit card—so perhaps this affects only businesses and those well-off enough to stay in such places. And exhibitors who have to pay through the nose typically represent companies, and it’s one of the expenses of participating. And shouldn’t the benefit of security and network management that at least Cisco is fighting for win the day?
Frankly, no. While I sympathize with network managers, this is a simple appropriation of public property, one we see far too often. Unlicensed spectrum is the purest expression of “the commons” that exists in America today. There is quite literally nothing else like it where every participant is forced to participate under the same rules, and, large and small, receive the same benefits.
Even in areas with lots of wireless cows chomping at the digital grass, the rules in place typically preserve the commons or force some kind of accommodation among users. Allowing companies to exercise the FCC's jurisdiction is a taking of public space. (Apple’s “Wi-Fi” network failure during a 2010 demo because of mobile hotspots was because of limitations in the cellular networks, not because of Wi-Fi.)
FCC commenter Eric Pederson wrote, “I live in a high-rise apartment building in New York City. I typically see 20-plus of my neighbors’ SSIDs. Yet somehow my Wi-Fi works just fine.” Wi-Fi is resilient. Marriott and its supporters are not. If sense prevails at the FCC, which the agency appears to have on this subject, hotels are going to need to suck it up, and the rest of us can keep exercising our spectrum rights.
Article was updated to include a link to Marriott's statement on its petition that appeared while this article was in production.
An outstanding post on the EFF’s Deeplinks blog by my colleague Ernesto Falcon explains the negligent chain of events that led us into the Stingray disaster, where whole cities are being blanketed in continuous location surveillance, without warrants, public consultation, or due process, thanks to the prevalence of “IMSI catchers” (“Stingrays,” “Dirtboxes,” “cell-site simulators,” etc) […]
Tea Party-dominated states across America passed laws banning cities from providing high-speed internet access to their residents, even in places where the cable/telco duopoly had decided not to sell broadband; last year, the FCC issued an order stating that these laws were null and void.
As the fight over the FCC’s Unlock the Box plan heats up, the cable and satellite TV companies have pulled out all the stops in a bid to force you to continue spending more than $200/year to rent an insecure, power-hungry, badly designed set-top box, rather than introducing competition by letting you buy your cable-box […]
Nothing is more frustrating than needing to edit or sign a PDF and not having access to the original document. That’s why PDFpenPRO is a must-have app in our books.With this extremely useful app, you can merge, markup, and create PDF documents without ever having to convert your PDFs into word processor file formats. Type directly onto […]
From self-driving cars to stock market predicting software to the recommendations you get on Amazon and Netflix, machine learning is at the core of modern technology. You could find yourself building technology that is literally changing the world with the skills you’ll learn in The Complete Machine Learning Bundle. This bundle of 10 courses includes 406 lessons that will teach […]
This Python Mega Course will help you learn to code by teaching you to build 10 real-world apps that each highlight a unique use of Python.Job prospects for coders are still growing steadily—and with Python being one of the most popular coding languages out there today, it’s important for job seekers to demonstrate a widespread understanding of the […]