Why you might want to rethink providing free wi-fi

We all seems to expect wi-fi enablement just about everywhere we go. We visit clients or suppliers and many people will ask “is there wi-fi available?” and as such many companies have now provided a Guest service for logging onto and surfing the net or connecting back to the office.

What many people fail to realise is the laws pertaining to wi-fi and the requirements placed on suppliers of free wi-fi they may not always be aware of. Let’s run through them.

The law

There are several laws that pertain, some more than others. The first one is the European Directive 2006/24/EC which was implemented into UK law under Data retention Regulations and the Anti-terrorism Crime and Security Act of 2001. Under these laws the provider of wi-fi is required to capture and store certain information about its users in the event the network is used for malicious purposes. It fairly normal stuff:

1. User ID, (real) name and address, date and time of login and logoff.
2. IP address allocated to that user; the MAC address of the machine connecting.
3. The internet services used during the period of connection (HTTP, POP, IMAP, etc).

Now many routers will store this, or at least most of it, as a matter of course. You can tie this to a manual process of collecting data from the persons asking for access and store for retention purposes. According to at least one wi-fi vendor the retention is stated to be:
“The data specified in the Schedule to these Regulations must be retained by the public communications provider for a period of 12 months from the date of the communication in question. See: http://www.legislation.gov.uk/uksi/2009/859/contents/made

The implications

So you are thinking “so what?”. Well the laws have teeth. Under RIPA intelligence and law enforcement can direct the release of such data if a crime has been committed using this network. Failure to supply such data could mean legal hurdles to jump and burning hoops of painful audit to jump through. Would you be able to respond if a court order landed and you were told you HAD to supply such data or be in breach of court or something similar?

This isn’t the only law which applies. The Digital Economy Bill which is in place to stop people downloading copyright materials has the ability to treat such acts as a crime and as from 2010 suppliers are obligated to keep user end records to help in identifying such people should your network have been used for this purpose.

This one is slightly tenuous but I could see a few scenarios where it might apply. The Data Protection Act states that any individual can request his or her personal information, of which is included machines he or she might use for such connections. So if someone needed to PROVE they were in your building at a specific time and date they could request their details from the owner of the wi-fi hotpot and thus you might be obliged to cough it up. Failure to do so might see you visited by the ICO or even fined.

Now I can’t find anyone who has ever been charged with such breaches.. yet. The NSA has just been forced by a US version of the law to not shred evidence because of the retention requirements. As the UK and US seem to have similar sort of issues on this front, I would guess someone will use this law to their advantage or have it used against someone else to their disadvantage.

The take away

The point to take away is that there is no such thing a “free” anymore. If you provide free wi-fi and don’t keep this data you could find yourself in hot water. I do wonder if the hacker community now sees high street coffee chains as the place to hack from. Wonder if the fines will be more than the taxes they haven’t paid.