The FCC and You: Marriott will not block personal Wi-Fi devices after FCC fine, public outcry
A few weeks ago the news came out that Marriott International (full disclosure: I am a Platinum Premiere member of Marriott, having stayed more than 1000 nights at their properties in the last 15 years or so) wanted to persuade the FCC to allow them to “block” personal Wi-Fi devices at some of their properties. This all comes after they actually tried doing so without the blessing of the FCC last year. From the FCC website (October 3, 2014):
Marriott International, Inc. and its subsidiary, Marriott Hotel Services, Inc., will pay $600,000 to resolve a Federal Communications Commission investigation into whether Marriott intentionally interfered with and disabled Wi-Fi networks established by consumers in the conference facilities of the Gaylord Opryland Hotel and Convention Center in Nashville, Tennessee, in violation of Section 333 of the Communications Act. The FCC Enforcement Bureau’s investigation revealed that Marriott employees had used containment features of a Wi-Fi monitoring system at the Gaylord Opryland to prevent individuals from connecting to the Internet via their own personal Wi-Fi networks, while at the same time charging consumers, small businesses, and exhibitors as much as $1,000 per device to access Marriott’s Wi-Fi network.
Part of their unsuccessful “defense” to their FCC charges involved the fact that they weren’t actually “blocking” Wi-Fi signals with radio interference, they were using a highly-sophisticated method of spoofing the unauthorized Wi-Fi access point and then sending a “disconnect” packet. Genius. A douche-bag move to be sure, and it didn’t impress the FCC, but still genius. boingboing explains it this way (if you don’t like technical stuff, just skip this):
The technique employed, according to the FCC release, is deauthentication. It’s a common attack vector used by malicious parties to push clients off legitimate access points and get them to connect to “evil twins,” look-alike Wi-Fi networks that are hives of villainy, or to cause denial of service. The aircrack-ng software, for instance, lets you type in a very simple sequence that shoots the correct sequence of packets at a client and a router, and forces the two to stop talking, at least for a moment.
There is no authentication of deauth, ironically enough, although the kind of intrusion-detection and -mitigation hardware and software used by companies like Marriott can detect these attacks. (More irony in using a mitigation system to attack others.) Vendors of such products boast about the use of deauth — in regards only to booting unwanted people from their clients’ own Wi-Fi networks.
The FCC found this not clever at all, and Marriott (which acquired the property in 2012) is paying a $600,000 fine, and under the terms of the consent decree, must halt its Wi-Fi blocking and implement and report on a compliance plan at all its properties in America. The FCC report doesn’t say whether Marriott was engaged in similar activities elsewhere, but I suspect geeks will now be on high alert to check for it whenever they can’t maintain a Wi-Fi connection to their own gear at or near a hotel or convention center.
Although the last sentence explains it all to the average person reading this, Marriott tried defending their desire to make thousands of dollars off unwilling people by actually saying they were trying to protect their customers from “hackers” and they only planned on blocking it in their meeting spaces. From the Marriott Website:
We understand there have been concerns regarding our position on the FCC petition filing, perhaps due to a lack of clarity about the issue. To set the record straight it has never been nor will it ever be Marriott’s policy to limit our guests’ ability to access the Internet by all available means, including through the use of personal Mi-Fi and/or Wi-Fi devices. As a matter of fact, we invite and encourage our guests to use these Internet connectivity devices in our hotels. To be clear, this matter does not involve in any way Wi-Fi access in hotel guestrooms or lobby spaces.
The question at hand is what measures a network operator can take to detect and contain rogue and imposter Wi-Fi hotspots used in our meeting and conference spaces that pose a security threat to meeting or conference attendees or cause interference to the conference guest wireless network.
In light of the increased use of wireless technology to launch cyber-attacks and purposefully disrupt hotel networks, Marriott along with the American Hotel & Lodging Association on behalf of the entire hotel industry is seeking clarity from the FCC regarding what lawful measures a network operator can take to prevent such attacks from occurring. We feel this is extremely important as we are increasingly being asked what measures we take to protect our conference and meeting guests and the conference groups that are using Wi-Fi technology in our hotels.
Nice gesture, and at least I’d still be able to set up my own personal Wi-Fi network in my room with my portable router, but still no thanks.
So anyway, the gist of the story is that, after getting fined $600,000 by the FCC for intentionally jamming competing signals, they are now asking for permission. This isn’t likely. Wi-Fi (or, more specifically, 802.11a/b/g/n/etc) operates under Part 15 of the FCC rules for unlicensed devices. In other words, every Part 15 device must comply with the following FCC requirements and a label or document issued with the device must state the following:
This device complies with part 15 of FCC rules. Operation is subject to the following two conditions:
- This device may not cause harmful interference.
- This device must accept any interference received, including interference that may cause undesired operation.
So, Marriott wanted to use a Part 15 device to specifically do something that a Part 15 device is specifically not allowed to do. Classy.
One further interesting fact. Since part of the radio spectrum allocated to 802.11a/b/g/n/etc is shared with the amateur radio service (licensed under Part 97) then theoretically, if a licensed amateur operator set up Wi-Fi equipment to operate under his callsign, (which many hams actually do) he would be legally operating the equipment as a licensed amateur radio station. In that case, if the Marriott device blocked that communication, it would fall to the same level of both a law violation and general douchebaggery as if they were blocking a police or EMT walkie talkie in their lobby.
Anyway, after the public (including radio amateurs) made their official comments to the FCC, the FCC came out and said (from Smartmeetings.com):
all the public comments it has received indicate the public has “resoundingly” rejected Marriott International’s hopes to jam personal Wi-Fi devices and other networks during conventions and events at its hotels.
Which finally brings us to what is hopefully the “end of the story” as Marriott has finally thrown in the towel (from news.marriott.com):
January 14, 2015 – Marriott International listens to its customers, and we will not block guests from using their personal Wi-Fi devices at any of our managed hotels. Marriott remains committed to protecting the security of Wi-Fi access in meeting and conference areas at our hotels. We will continue to look to the FCC to clarify appropriate security measures network operators can take to protect customer data, and will continue to work with the industry and others to find appropriate market solutions that do not involve the blocking of Wi-Fi devices.
Another one in the win column.
(Published from 40,000 feet over Little Rock, Arkansas)