As an engineer I spend a lot of time looking and pondering the impact that a new product or idea will have on the industry as a whole. Clues to the future of technology can come in many forms.One source can be found in pending legislation both in this country and abroad. As a wireless engineer I have a particular interest in Wi-Fi hotspots. My intention in writing this article is not to start a debate on civil rights / liberties, but rather to throw out an idea and see what thoughts others might have on the subject. I encourage you, the reader, to leave your comments. Like many people in our increasingly mobile society I have used a hotspot, a place where the coffee flows freely and the internet is freely available. If I own a restaurant and have a desire to succeed, I need to be competitive; I need people to visit my establishment. Almost every restaurant in town offers free Wi-Fi to its guests. So as an aspiring entrepreneur I go down to the local electronics store, buy a wireless access point (AP) and wham I have a hotspot. But does my responsibility end there, or is that just the beginning? What if a customer uses my internet connection to download copyrighted material, who is monetarily liable? What if the free internet at my coffee house is used to plan a terrorist attack or exchange child pornography? In a recent court case in Germany a musician sued and won when his copyrighted song was downloaded from an open wireless connection. What’s really sad about this case is that the owner of the unsecured wireless network was a private individual and could prove that they were on vacation at that time. The German court also ordered that all owners of open Wi-Fi networks secure their networks or be fined. According to the Associated Press, the court in Karlsruhe ruled that Internet users can be fined up to €100 ($126 USD) if a third party takes advantage of their unprotected WLAN connection to illegally download music or other files. But the court stopped short of holding the users responsible for the illegal content the third party downloads themselves. http://www.dslreports.com/shownews/German-Court-Secure-Your-Hotspot-Or-Be-Fined-108363 http://www.foxnews.com/world/2010/05/12/german-court-web-users-secure-wireless-connection-stop-using-illegally-284294584/ In February of 2009 legislation was proposed here in the USA that would force both ISPs and Wi-Fi hotspot owners to maintain user data and logs for two years. This legislation would aid in the fight against child pornography, protect the interests of copyright holders such as the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA). Copyright holders here in the USA and abroad have petitioned for such laws for a long time; claiming this would help in identifying file sharers. http://www.myce.com/news/Data-retention-bill-helps-copyright-holders-15564/ Unsecured public Wi-Fi hotspots can be found almost anywhere and they make sense from a business perspective. If you’re a mall owner they keep people in the building longer. A mall customer can check their email, check into the office all while dining in the food court. They can be used to attract more long-haul drivers to your truck stop. Provide a reason, other than the view, for people to enjoy your RV Park. Hotspots are here and they do attract more business; but what about the hotspot owners responsibility? If I am providing internet service to the public, have I not become an ISP (Internet Service Provider)? Before starting that free Wi-Fi hotspot business owners need ask themselves what are the risks, liabilities, and exposure both to me personally and to my business. I am as far from anti hotspot as you can get, but just because its free internet does not mean it has to be a free-for-all. If we as a society want to keep free and open hotspots than we also need to take some minimal security measures to reduce our personal liability and protect our ability and freedom to both offer and take advantage of free Wi-Fi. This is called being responsible, remember that all it will take is a catalyst, one idiot one event and we could see something like the Internet Safety Act passed or even something like CALEA (Communications Assistance for Law Enforcement Act) extended to hotspot owners. This would bring an end to the free open Wi-Fi hotspot at the neighborhood café. I am not a lawyer, I’m an engineer; my goal is to get you to think about the possibilities. At a minimum hotspot owners should have an acceptable use policy. Talk to your lawyer about this, by protecting your business, taking some minimal steps you protect our privilege as well. Unfortunately, in the current Free-for-All model, there is no way to control who is connecting; it could be someone outside in the parking lot. With this style of open Wi-Fi it is impossible to have someone agree to an acceptable use policy; let alone prove they read it without special equipment. There are many ways to secure a hotspot all with varying levels of security and varying price tags. One way is use a firewall to lock down your hotspot, allowing only ports 80 and 443 to be used. Each type of application uses a port, by blocking ports you block applications. For example, if you don’t want people sending out spam from your hotspot block port 25. Port 80 is used for web browsing, when you look at the address bar in your web browser and you see http:// that’s port 80. When you shop or do your banking online you are using port 443 and your address bar will have https:// at the beginning of the address. These two ports account for 99.9% of internet traffic at the local Wi-Fi hotspot. Most people who need access to their email also have access to webmail and since this is browser based ports 80 and 443 will work just fine. The simplest and least expensive way is to use encryption. Although this does not stop someone from using your hotspot for illegal activity, it does in my book, meet the minimal security measures to protect your business. By adding WEP or WPA to your hotspot it requires users to have access to a key or paraphrase to access the network. This, at the very least, will keep people from connecting while sitting in the parking lot. It will also force them to receive the key or paraphrase along with your acceptable use policy. Some large organizations have moved to an account based model. Starbucks, McDonalds and even the Ohio Turnpike rest stops have wireless internet; all based on a pay as you go model. With this model the user is required to sign-up for an account, accept the acceptable use policy, and pay for access to the wireless network. I am not advocating the pay model, but signing up for an account does have advantages. One the user can be forced to agree to the acceptable use policy, second the login information can be emailed to the subscriber. By emailing the subscriber account information you have a verification method in place. This method is the most expensive, but a basic authentication system can still be put together for under $3,500 and can be paid for with advertising dollars. Another method is to use a transparent proxy server, often called an intercepting proxy server; this type of proxy is used a lot in business. When a connection is made by the client’s browser through the gateway it is redirected to the proxy without any configuration on the client side. They are most often used in business for this exact purpose to redirect a user to the companies acceptable use policy. This feature can be found in almost any Access Point that is designed for hotspot use. These are just a few of the ways that you, as a hotspot operator, can protect your company and the privilege of your customers. By taking responsibility and avoiding the set-it-forget it attitude we can continue to enjoy our fries with that hotspot.
Other reading: http://www.pcworld.com/businesscenter/article/160546/why_your_wifi_hotspots_could_be_at_risk.html http://en.wikipedia.org/wiki/Proxy_server