March 3, 2015

Amid Skepticism about Privacy and Cybersecurity Claims, Hotel Industry Withdraws its Request for Permission to Block Guests’ Personal Wireless Networks

Related Attorneys

By Douglas F. Brent

Do you think twice before logging on to a Wi-Fi network at your favorite coffee shop or at the airport, a convention center or hotel?  You should.  When you log on using a 3rd party’s network, you are only as secure as that network.  And who is it broadcasting that “FREE WI-FI” SSID anyway?  Could it be a criminal waiting to intercept private information?  Law enforcement authorities have warned for years that criminals sometimes exploit Wi-Fi, including to target hotel guests with phony “software updates” laced with malware.[1]  So if you know nothing about the “GUEST” network you are offered, pause before depending on it for electronic communications that could put your business or personal data at risk.  Risks like that may be a good reason to depend on your own wireless tools when on the road.
 
Is the risk we just described reason enough for a hotel to take electronic countermeasures, such as preventing guests from setting up wireless networks on their property?  A major hotel trade association recently asked the Federal Communications Commission for approval to do just that.
 
Some background.  Last Fall the FCC’s Enforcement Bureau, investigating a consumer complaint, found that a Tennessee resort hotel was using equipment to send “de-authentication packets” to Wi-Fi Internet access points set up by 3rd parties and not part of the hotel’s Wi-Fi system.  The complaint had alleged the property did this to force convention exhibitors to purchase expensive Internet services from the hotel, by preventing them from tethering computers to personal smartphones or Mi-Fi devices.[2]  The hotel initially defended the practice as a cybersecurity measure intended to protect guests “from rogue wireless hotspots that can cause degraded service, insidious cyber-attacks and identity theft,” but agreed to cease the practice and pay a $600,000 fine.  The property owner was heavily criticized in the press and court of public opinion, but few commentators delved into the legal issue raised by the FCC.  Was it really unlawful for the hotel to protect its network on private property using FCC-authorized equipment?
 
The Communications Act prohibits willful or malicious interference with “radio communications” of any “station” licensed or authorized by the Act.  Is a personal access point, which is unlicensed, a “station” protected from interference?  
 
As it turns out, the enforcement action occurred against the backdrop of an FCC petition filed by the American Hotel & Lodging Association, along with Marriott International and Ryman Hospitality.  Those parties asked the FCC to find that it is not a violation of the Federal Communications Act to interfere with a hotel guest’s personal hotspot as an incident to managing its own Wi-Fi network.  The petition claimed the practice could protect hotel guests from signal interception, unauthorized network access, and “man-in-the middle” attacks where legitimate Wi-Fi access points are “spoofed” by an “intruder” intending to steal information from unsuspecting guests trying to logon to the hotel’s own wireless network.
 
The FCC’s Wireless Bureau asked for and received numerous comments, from the likes of Microsoft, Google, the cable industry, equipment providers such as Cisco, and Hilton Hotels.
 
Opposition was strong.  A national cable industry association claimed the hotel industry was seeking “the ability to disrupt the wireless communications of anyone whose Wi-Fi signal competes for spectrum with a venue owner’s own access points or otherwise behaves in a manner inconsistent with the owner’s business objectives.”  The wireless carrier industry expressed some sympathy for the need to maintain network security, but said Wi-Fi operators cannot “deputize themselves to police” the unlicensed radiofrequency environment occupied by Wi-Fi devices.  Google cited legislative history in support of its claim that blocking violated federal law, as well as the public interest.  On the other hand, Hilton Hotels claimed that network management that interfered with customer access points was practically an essential cybersecurity requirement.
 
We won’t see an FCC order addressing the interesting legal question posed by the petition.  The hotel interests withdrew their petition on January 30 and the FCC dismissed it by order on February 13.  Meanwhile, the FCC’s Enforcement Bureau reiterated in a late January press release: “No hotel, convention center, or other commercial establishment or the network operator providing services at such establishments may intentionally block or disrupt personal Wi-Fi hot spots on such premises, including as part of an effort to force consumers to purchase access to the property owner’s Wi Fi network.” 
 
We think it’s worth asking whether this was a battle worth winning.  After all, hotels survive when guests are satisfied.  A legal “win” in favor of blocking that appears more anti-consumer than privacy protective could result in poor publicity for the industry.  Amid the heated rhetoric over the industry’s motives for filing its petition, it was easy for the mainstream press to lose sight of the real risks to travelers who depend on wireless access in public locations.  Those issues are real.  Regardless, the 2014 enforcement proceeding had cast a long shadow, and that may be the reason the industry decided to check out early at the FCC.
 


[1] http://www.fbi.gov/sandiego/press-releases/2012/malware-installed-on-travelers-laptops-through-software-updates-on-hotel-internet-connections
 

[2] Marriott International, Inc., Marriott Hotel Services, Inc., Consent Decree, 29 FCC Rcd. 11760, ¶¶ 5-6 (2014)