Among other interesting points is that they seem to have been using the same "de-authentication" trick that Marriott had used in a similar case a while ago. Also, they make an argument about density and interference that IMO shouldn't be dismissed out of hand. I still think they were wrong and deserved the fine, but it's worth keeping in mind that mobile hotspots can fall afoul of the very same principle and law behind that fine.
> For instance, in those cases in which Smart City has used de-authentication in the past, it targeted only access points and wireless devices that are located within the confined and proprietary space of the exhibit hall -- areas of a convention center that are licensed for private event and to which access is limited -- and that pose a threat to secure, reliable, WiFi availability within that confined space.
That's not how WiFi works. They cannot know for a fact that these WiFi hotspots are within the convention space, they could and likely are, blocking WiFi located outside of that space.
Additionally they're claiming that they literally own the radio spectrum within a "proprietary space" which is a dangerous line. What is stopping them from blocking all cellular signals or worse charging cellphone companies for the signal travelling through their space?
Their point about security is nonsense. The technology they're employing is DESIGNED to secure WiFi networks by disconnecting actually rogue APs (i.e. devices squawking the same SSID as their network), that is still legal, the problem they and the Hilten ran into is that they took tech' designed for security and mis-used it for monopolising the WiFi spectrum within their convention centers.
So, sorry, no. If your WiFi network is called SmartCityWiFi and you disconnect MyHotSpot then you're breaking the law and have zero security arguments to make.
Good on the FCC for giving these guys a fine. Too bad it wasn't more. I read their arguments and it has only made me side with the FCC more. What they're asking for would make the world a worse place in general and only helps their bottom line.
>That's not how WiFi works. They cannot know for a fact that these WiFi hotspots are within the convention space, they could and likely are, blocking WiFi located outside of that space.
To play devil's advocate, some APs support rogue triangulation. Ours plot any rogues on a building map so we know exactly where they are. When combined with a proper wireless survey, you could ensure that they don't deauth anything beyond the building perimeter. Not that I recommend that, since at the very least someone should be able to tether their phone if they want. But also because it puts additional overhead on your APs, which are usually already taxed in high-usage areas.
>that is still legal, the problem they and the Hilten ran into is that they took tech' designed for security and mis-used it for monopolising the WiFi spectrum within their convention centers.
Why is this legal while the other practice is not? Say the conference center uses a wifi named HallWifi. Why are they allowed to block me from using the same SSID but not HallWifi2 or else? Also, what about blocking similar SSIDs like Hal1Wifi?
This seems one of those things where you have to write a 'I can't define exactly what is illegal, but I know it when I see it' law. I really don't like those types of laws.
Bingo. You are totally and 100% legitimately allowed to hijack, block, and/or de-auth rogue WiFi access points broadcasting the same SSID as you so long as the blocking is targeted at your own property (some leakage is inevitable).
If attendees were naming their personal hotspots "SmartCity" then SmartCity would have a point. They weren't.
Uh, no. Just because you think this should be the law doesn't mean it is the law.
Instead the law in the United States is that you aren't allowed to jam anyone, aren't allowed to interfere with the operation of other computers on the internet, and whether the computers are on your real estate or not has nothing at all to do with it.
In the first paragraph you mention property, but SSIDs aren't property. They don't own "SmartCity" and you don't own "RandomPundit" and I don't own "DidMyResearch" either. The legal point seems to be whether Smart City's actions were limited to the physical space they owned or leased, not what SSIDs were involved.
Yeah, I'm not seeing any evidence that they were the first to be using a particular SSID when they shut them down.
What happens if we both have the same SSID and move into the same area? Who 'owns' that SSID? Smart City gets to just roll into town taking over any SSID it wants?
As far as I can tell, strongest signal wins (assuming it's within transmit-power limits). Probably just as well, since adjudicating disputes over who owns what SSID in what space would be a total nightmare.
> They cannot know for a fact that these WiFi hotspots are within the convention space
You don't think triangulation can be that accurate?
> they could and likely are, blocking WiFi located outside of that space.
You have even less basis for that statement than they had for theirs.
> They're claiming that they literally own the radio spectrum within a "proprietary space" which is a dangerous line.
Absolutely agree. That's why we need to have those conversations, instead of just oversimplifying into "bad guys" trying to meet their SLAs and "good guys" bringing whatever gadgets they want to the party.
> If your WiFi network is called SmartCityWiFi and you disconnect MyHotSpot then you're breaking the law
[citation needed]
> Good on the FCC for giving these guys a fine
I agree. In my opinion spoofing de-auth packets should be legally equivalent to jamming (currently it's not) and should be severely punished. The fine was deserved. On the other hand, let's not rush to throw the baby out with the bathwater. There is a serious issue here, which won't go away until we face it.
> You don't think triangulation can be that accurate?
Does Cisco's anti-rogue AP tech perform triangulation? Why would it when it isn't designed to limit what people can do in physical spaces?
> You have even less basis for that statement than they had for theirs.
I know how the tech works. I know how the anti-rogue AP tech works. I have plenty of reasons for believing that they're disconnecting APs outside of a physical zone (since it isn't designed to do accomplish that to begin with).
>> If your WiFi network is called SmartCityWiFi and you disconnect MyHotSpot then you're breaking the law
> [citation needed]
Literally the article this entire thread is about... The FCC's fine of Smart City today that we're discussing is the citation. I cannot believe you even asked for that... Wow.
> Literally the article this entire thread is about
As another commenter so politely put it, and received no censure, absolutely wrong. You're trying to make a distinction based on SSIDs, and SSIDs have no legal standing. The string "SSID" doesn't even appear in the FCC's decision. Reasonable people can disagree on whether this was the right decision, and as it happens we do agree. Reasonable people can disagree on which statutes, definitions, etc. apply. However, reasonable people can not claim that the entire thread is about SSIDs. To quote you, "Wow."
That's a strawman, the term "SSID" appearing or not appearing is irrelevant. The distinction is about legal and illegal usage of rogue AP containment. To quote Cisco[0]:
> Rogue AP-connected clients, or rogue ad hoc connected clients, may be contained by sending 802.11 de-authentication packets from local APs. This should be done only after steps have been taken to ensure that the AP is truly a rogue AP, because it is illegal to do this to a legitimate AP in a neighboring WLAN. This is the reason why Cisco removed the automatic rogue AP containment feature from this solution.
You're arguing that it is illegal in all circumstances, Cisco disagrees. The FCC also has not brought a single enforcement action against anyone utilising rogue AP containment the way it was designed, they have only brought it against businesses using it to shut down third party WiFi (that wasn't pretending to belong to the same network).
Speaking of strawmen, I am not arguing that rogue AP containment is always illegal. Nor am I arguing that it's always legal. I believe this is a matter of consent. If you enter a space where wifi hotspots are forbidden, then your proprietor can de-auth you to hell and the FCC should have nothing to say about it. It's not interference any more; it's an agreed-to limitation on use.
Your Cisco quote is a complete non sequitur because you're assuming a very particular definition of "legitimate AP" when none is present or implied by law. A "legitimate AP" is one that is not itself being operated in violation of the law, and a "neighboring WLAN" is one that you do not own or have consent to manage. With correct or reasonable definitions, that quote doesn't support your position at all.
No, its not. This is quite obvious from the time of the documents (The January 15 document you point to could not, even without looking at its content, be a response to the settlement the FCC just announced with Smart City.)
If you actually read the content of the thing you say is "Smart City's response", its Smart City's response comments in support of a petition filed by Marriot [0]seeking to have the FCC repudiate the principle that formed part of the basis for the judgement against Marriot and Smart City.
But note that even in that response, Smart City does not take the position that the actions for which it was being investigated, which it admitted to in the Consent Decree and claims to have discontinued when it learned of the investigation in 2014, should be permitted, instead taking a position that de-authentication should be allowed when based on specific objective measures indicating a threat to networks, whereas what they were doing (by their own admission) before, and were fined for, was indiscriminating sending de-authentication packets shut down WiFi access points that they did not control.
> What, time didn't exist before today's decision?
Time did, and part of time is that responses don't occur before the thing they respond to.
> It was a response - just to an earlier round of the same debate
Its not even that; its a response in a parallel but tangentially related proceeding that started after the complaint on which the current Consent Decree was filed, addressed a different issue, and was never resolved because the party that filed it (Marriott) later withdrew it.
And Smart City's response in that proceeding essentially argues that the FCC can and should prohibit the conduct which Smart City admitted to in the consent decree, though it argues that the prohibition should be based on a different legal foundation than the one cited in the Marriott and now Smart City consent decrees.
(It also argues that the FCC should not prohibit a different, more targeted practice of de-authing that is actually based on more specific objective indicia of a threat to an existing network, which no FCC enforcement action as yet has targeted.)
Also absolutely wrong. There is a complete difference between a noisy environment (lots of mobile hotspots / access points) and an environment with an active attacker (device sending out deliberate deauth signals). Try to understand the difference, it's the key to the case.
> 47 U.S. Code § 333 - Willful or malicious interference
>
> No person shall willfully or maliciously interfere with
> or cause interference to any radio communications of any
> station licensed or authorized by or under this chapter
> or operated by the United States Government.
The method of interference (‘jamming’ or sending deauth packets) is irrelevant.
OK, let's play that game. What is the legal definition of "interference" with respect to this statute? What is the legal definition of "interference" with respect to the FCC? Does or should the FCC have jurisdiction over "interference" above the physical level? That's a pretty hotly debated topic. Extending the FCC's mandate in this way might not actually be such a great idea, even if it would have yielded the outcome you want in this particular case. Also, what makes 47§333 so sacred? ISTRC that it has been used to prosecute hackers that were doing nothing wrong. Personally, I think this set of issues should be addressed in a more organized way than by throwing random statutes and regulatory agencies at it.
> What is the legal definition of "interference" with respect to this statute?
“Any emission, radiation or induction that [...] seriously degrades, obstructs or repeatedly interrupts a radiocommunications service operating in accordance with this chapter.” (Emphasis added. The elision is specific to navigation and safety services.)
No, the “emission, radiation, or induction” of the bit pattern is an “emission, radiation, or induction”. The bit pattern is perfectly fine; you can print it on a t-shirt or tattoo it on your forehead and the law won't care. You can even emit, radiate, or induce it as long as that doesn't willfully or maliciously seriously degrade, obstruct or repeatedly interrupt a radiocommunications service.
> Yes, the mechanism is different, but the basic problem of interfering with others' communication is the same.
The legal problem isn't the effect of interfering with others' communication, its the active intent to interfere with others' communication.
So, no, a noisy environment because lots of people set up WiFi hotspots with no intent to prevent use (even though it may prevent some uses) does not pose the same legal issue as an environment in which someone is intentionally actively denying people the use of WiFi hotspots by spoofing de-auth packets.
How would mobile hotspots fall afoul of the same thing? If you get enough of them active in the same area you might get degraded or even nonexistent service, but that's not at all the same thing as sending fake deauthentication packets in a deliberate act to prevent other devices from working.
No, it's not the same as sending de-auth packets, but it's still interference with their signal on their property and that's an issue quite worthy of concern. That's why we have laws about jamming devices or radiated-power limits. I think their reaction was inappropriate, but the basic principle of not interfering with others' communications still cuts both ways. We need a better way to deal with such conflicts, which are only going to become more and more frequent and severe.
We have a system to address the public airwaves, which include all the airwaves on all property since the electromagnetic spectrum conveniently ignores our artificial property boundaries.
That system is called "licensing" and SmartCity is completely free to apply for a license to own their own slice of spectrum. When you are talking about single-building uses or point-to-point links they aren't even that expensive (unlike regional or national cellular frequencies for example). Good luck getting hardware makers to adopt your special snowflake system!
WiFi operates on unlicensed bands. By using such bands you are bound by various rules (like power transmit limits) designed to ensure everyone has shared access. WiFi itself is designed to scale down power and share transmit time to keep the noise low. In fact using a personal hotspot isn't likely to cause much interference since the devices are likely right next to each other and transmitting at very low power levels.
What you can't do is take the spectrum, protocols, and devices designed to allow everyone to share and hijack it to stop other people from using it.
You might make the case that officially certified WiFi devices should include some frequency bands that are license-only so that large venues could apply for exclusive use of certain frequencies* but unless and until that happens you are legally required to abide by the same rules as everyone else, even on your property.
* As radio chips get better it becomes more and more feasible to include the hardware for a multitude of frequencies (chips, amps, filters, etc); eventually SDR will make it possible to support a huge range.
>That system is called "licensing" and SmartCity is completely free to apply for a license to own their own slice of spectrum.
In this context, (hotel internet) it doesn't seem reasonable to ask them to start manufacturing their own wireless cards that support a wider spectrum, since everybody staying at the hotel would need one.
We're not asking them to do this, just saying that this is what they'd have to do if they want to have a frequency that's protected from other users.
Right now, hotels have two choices. They can support cheap commodity equipment that uses unlicensed spectrum, but they have to accept that everyone is allowed to use that spectrum as they wish (within the rules) and this might impact the hotel's use. Or they can use expensive specialized equipment that nobody owns, and have guaranteed exclusivity to their bit of spectrum in that area.
I think a third choice would be great, to have commodity hardware that can access licensed spectrum so that venues who want to guarantee exclusivity can obtain a license while allowing their users to use standard hardware.
But that third choice isn't available, so the reality of the situation is the two choices above. Naturally, venues pick the option with commodity equipment and no exclusivity. And that's totally fine. But they can't then try to force exclusivity into the situation afterwards.
The whole idea of these unlicensed bands is that there are limits on power and such, and otherwise you can more or less do what you want as long as you're not deliberately interfering with other people. If your legitimate use happens to step on other people's legitimate use, well, so it goes. If you want to make sure nobody else can interfere with you, use a licensed frequency and obtain a license for your use.
I think this raises an interesting point. There ought to be some frequency bands accessible by common WiFi hardware which require a license to use. Then big venues like this could set up their networks on licensed bands, after obtaining a license, and be free from interference by people's mobile hotspots and such.
Although I have a feeling that approximately nobody would actually go through the process of getting a license, because the whole "interference" thing is just a cover, and their actual motivation is a cash grab by attempting to force people to use their spectacularly overpriced service.
> There ought to be some frequency bands accessible by common WiFi hardware which require a license to use.
Thank you for keeping this constructive. That's exactly the kind of discussion we need to have. Certainly there are likely to be all of the problems we've seen in every other aspect of spectrum allocation and licensing, but at least exploring the possibilities might lead to a better solution. Certain others' insistence on denial and bluster won't get us anywhere.
Also, they make an argument about density and interference that IMO shouldn't be dismissed out of hand.
The point isn't worthless in general, but it's worthless in the context of the text and principle of 44 US Code 333. In that case, I will dismiss it out of hand.
it's worth keeping in mind that mobile hotspots can fall afoul of the very same principle and law behind that fine
What mobile hotspots maliciously interfere with eachother's operation?
"Also, they make an argument about density and interference that IMO shouldn't be dismissed out of hand"
Absolutely it should. It might make for a shitty experience, but the whole (un) license of the Wifi spectrum is "it's a free-for-all, suck it up". However many users are there, microwaves, you name it. "May not produce interference to other users, must accept any and all interference".
http://apps.fcc.gov/ecfs/document/view?id=60001011936
Among other interesting points is that they seem to have been using the same "de-authentication" trick that Marriott had used in a similar case a while ago. Also, they make an argument about density and interference that IMO shouldn't be dismissed out of hand. I still think they were wrong and deserved the fine, but it's worth keeping in mind that mobile hotspots can fall afoul of the very same principle and law behind that fine.