Rick Hampton, the wireless communications manager for Boston-based Partners Healthcare, has seen the dialogue among network professionals heating up in the wake of the FCC’s sternly-worded enforcement warning about illegal Wi-Fi blocking and says it’s no wonder the commission is fired up.
He contends that the way in which many organizations have set up their wireless networks, based on overhyped products that have led them to believe anything goes, just won’t fly in a world where people increasingly are using personal Wi-Fi hotspots to get safe and easy Internet connectivity over unlicensed airwaves wherever they happen to be. After all, the FCC was created by Congress back in the 1930s to put the kibosh on just such intentional interference of radio devices.
A 42-year veteran of the wireless industry and self-described privacy advocate, Hampton says the FCC was correct to fine Marriott International last year for shutting down convention center visitor hotspots via de-authentication messages. He advises other organizations across various industries to review and if necessary change their practices before they get nailed, too.
Here’s what Hampton, who has worked on everything from military systems to medical devices (and has spent time working with the FDA and FCC on wireless medical systems), says about running a wireless network that will serve your organization and not get you in trouble with the government.
It's an unfortunate, but fairly predictable result of what happens when someone doesn't pay attention to the rules and thinks they won't get caught if they break them. For this discussion, let's leave out the issue of how Marriott's monetization of their Wi-Fi network factored into all this. Marriott claimed they deauthenticated customers from the customer’s hotspot devices in order to protect Marriott's Wi-Fi network from interference caused by those hotspot devices. But the rules don’t allow this. Look at the pertinent part of the rules, contained in Title 47 of the Code of Federal Regulations, Part 15.5:
§15.5(a), means no one has a vested right to use a given frequency any more than anyone else. We must share and share alike. Even if you turned your system on first, you have to share the spectrum with everyone else who comes along later.
§15.5(b) means you can use a frequency as long as you don’t cause harmful interference to other users. For unlicensed devices, which include Wi-Fi, the FCC has consistently interpreted this to mean that interference incidental to the operation of a properly functioning device is allowable. Someone using a properly operating hotspot in your vicinity has as much a right to operate their device as you do operating your device, even if the two systems cause problems with each other. Further, the Commission has also consistently interpreted this to mean that intentional interference meant to deny someone else from using the frequency is illegal.
Marriott’s case is one where they assumed they had more of a right to the spectrum than other wireless users. Marriott further assumed they could intentionally interfere with the other users to take control of the spectrum. Marriott was wrong on both counts and the FCC fined them for their mistake. (For more on this story, see "Marriott CIO: FCC message on Wi-Fi blocking loud and clear.")
One other note: some people are complaining that disassociation/deauthentication is not the same as interference. Let’s take a closer look at that.
Disassociation/deauthentication by an intrusion protection system works by repeatedly emitting a signal from a Wi-Fi device that causes the target device to disconnect from its network, resulting in a repeated interruption to the radiocommunication service of that Wi-Fi device. The rules say:
§15.3(m) Harmful interference. Any emission, radiation or induction that… seriously degrades, obstructs or repeatedly interrupts a radiocommunications service operating in accordance with this chapter.
Comparing the operation of an IPS’s deauthentication feature to the definition of harmful interference, it’s easy to see that if someone intentionally deauthenticates someone else, the person doing the deauthentication is causing harmful interference. That said, the FCC doesn’t require you to share your network with everyone else, so using an IPS to deauthenticate unwanted wireless user devices from YOUR network is legal. Using an IPS to deauthenticate unwanted wireless users from THEIR network is illegal.
The FCC has known about IPS offerings since they first came out. If the Commission believed their existence were illegal, they would have forbade their marketing, importation, sale and use from the very beginning, as they already do with all other forms of jamming devices. The Commission understands IPSes have a legitimate use. Thanks to Marriott, the Commission and everyone else now understand IPSes can have an illegitimate use.
How common do you think the Wi-Fi blocking practices used by Marriott are among other organizations (not just in the hospitality industry)?
Until this happened and wireless engineers began posting their objections on internet sites, I thought this was a rare occurrence. It's pretty obvious now that when the FCC says they're concerned by the number of complaints they've received, they aren't kidding. Not having seen actual numbers, I'm not sure what adjective I would use to describe the magnitude of the problem. It certainly doesn't appear to be an isolated problem, either in terms of raw numbers or in terms of a specific industry.
Why do you think that’s the case?
One reason is because very few wireless engineers have read and understand the FCC’s rules for operating Wi-Fi systems or other unlicensed devices. The comments being posted certainly support this conclusion. Most Wi-Fi engineers seem to think they only need to concern themselves with microwave ovens, Bluetooth devices and Wi-Fi hotspots. They have no idea they are also required to share the spectrum with amateur radio, remote TV broadcasting, radio-navigation, and others… with Wi-Fi being on the bottom of the regulatory heap. It only takes one careless user, like Marriott, to cause problems for everyone.
If your only understanding of FCC regs and RF systems comes from one of the wireless networking certification programs or what the vendors tell you, which seems to include a significant percentage of the wireless engineers, you may not sufficiently understand enough to question the vendors’ marketing material. By far, the best wireless engineers I’ve met either have an amateur radio license, prior military communications experience, or have spent as much time learning how the RF portion of their systems work as they have learning how the software portion works.
Wireless engineers need to understand they are responsible not only for the technical operation of these systems, but the legal operation, as well. They need to understand all the rules and regulations involved, not just channelization issues mentioned by the vendors. They need to push back harder against vendors when things aren’t as they seem. As the Marriott case shows all too well, ultimately it is the responsibility of the person/entity deploying the system to ensure they got things right. I’m pretty sure that somewhere, a wireless engineer rues the day he realized he could use his IPS against other spectrum users. Everyone else should work to avoid repeating his mistake.
What role do the WLAN product vendors play in all this? What should they do going forward?
In my opinion, the Wi-Fi vendors have done a terrible job of marketing their products properly and responsibly. They do their best to present their products as technology so advanced, they’re magical, one-size-fits-all solutions; you need not concern