
Marriott Hotels fined $600,000 by FCC for jamming Wi-Fi hotspots [pdf] - jxf
http://transition.fcc.gov/Daily_Releases/Daily_Business/2014/db1003/DA-14-1444A1.pdf
======
Tarang
Small/TLDR backstory: Marriott jammed Wifi hotspots and offered its own
internet services instead, charging from $250 per device.

Source: [http://www.slashgear.com/marriott-fined-600000-for-
jamming-g...](http://www.slashgear.com/marriott-fined-600000-for-jamming-
guest-hotspots-03349010/)

~~~
geetee
_In addition to the $600,000 civil penalty, Marriott will have to cease
blocking guests, hand over details of any access point containment features to
the FCC across its entire portfolio of owned or managed properties, and
finally file compliance and usage reports each quarter for the next three
years._

And how about refund everyone?

~~~
smackfu
That would probably require a class action suit.

~~~
kirillzubovsky
Some lawyer somewhere is probably already calling up all and every Marriott
guest on this planet.

~~~
toomuchtodo
I had to support the IT functions of a corporate event at the Gaylord Opryland
convention center ~18 months ago. Wouldn't mind joining a class action even if
I don't see a dime after attempting to mitigate their wifi interference for a
week.

------
kens
What I find interesting is this isn't jamming of the radio signal, but
protocol-level interference by sending deauthentication packets. I find it a
little concerning that the law is interpreted this way since it could give the
FCC a very broad jurisdiction.

More on the law: [http://www.fcc.gov/jammers](http://www.fcc.gov/jammers)

More on deauthentication packet jamming: [http://hackaday.com/2011/10/04/wifi-
jamming-via-deauthentica...](http://hackaday.com/2011/10/04/wifi-jamming-via-
deauthentication-packets/)

~~~
cddotdotslash
This is really interesting - the college I went to used this kind of
technology to prevent students from spinning up rogue hotspots. In fact, it is
a pretty common practice. Anyone know if this law extends to that use case or
if Marriot was doing something different?

~~~
iancarroll
No - that is blatantly illegal.

~~~
cddotdotslash
This is a Cisco technology:
[http://www.cisco.com/c/en/us/support/docs/wireless-
mobility/...](http://www.cisco.com/c/en/us/support/docs/wireless-
mobility/wireless-lan-wlan/70987-rogue-detect.html)

Something tells me there is more to this story.

~~~
iancarroll
That seems to cut off APs connected to a wired Cisco network - that's
perfectly legal, you can terminate any device you want from your network.

~~~
lmz
> Once a rogue client is detected on the wired network, the network
> administrator is able to contain both the rogue AP and the rogue clients.
> This can be achieved because 802.11 de-authentication packets are sent to
> clients that are associated to rogue APs so that the threat that such a hole
> creates is mitigated.

Looks like the Cisco AP sends these deauthentication packets over wireless, it
doesn't cut off the rogue AP from the network by filtering it or disabling a
switch port. The rogue AP is certainly bridged to your network, but is the
association between the clients and the rogue AP part of your network?

~~~
iancarroll
That doesn't look good. It is mentioned near the start about potential issues:

> rogue containment usually introduces legal issues that can put the
> infrastructure provider in an uncomfortable position if left to operate
> automatically.

The FCC also says selling these things is illegal:

> Federal law prohibits the operation, marketing, or sale of any type of
> jamming equipment

There might be a legal workaround in the case of unauthorized devices, as I
doubt Cisco's legal team would allow such a feature if there was not something
to base it off of. It is concerning though...

------
mbreese
Just in case it's not clear from the link/comments, the "jamming" happened at
one convention location (Gaylord Opryland Hotel and Convention Center in
Nashville, Tennessee).

It seems that the convention center was blocking mobile hotspots in an effort
to control the Wi-Fi traffic in the center, possibly so that they could charge
for their in-house Wi-Fi. This doesn't seem to have been a widespread issue or
an issue for hotel guests.

However, I suspect that this is a common practice among convention centers and
that the main point of this action by the FCC was to put everyone on notice
that this is not acceptable behavior.

------
joosters
I find it ironic that it's always the expensive hotels that charge for wifi
while the cheaper places mostly give it away for free. I guess business
customers are more happy to pay since they can expense it.

~~~
WaxProlix
I read somewhere (HN, maybe?) that the high-end hotels were the first to
adopt, before the market for these things was well fleshed out, and often
ended up in absurd, long-term contracts with 3rd party services/providers.

That, combined with the fact that, yes, businessfolk will just expense it,
leads to the current situation.

~~~
stevenjohns
You're more or less right.

I used to work for a fairly large hotel chain that would charge ridiculous
amounts for internet. Thinking back it wasn't too ridiculous (certainly not
10k for 3 days as someone said above) but it was still a high price.

The only people to really use the service were business people, and they'd
always charge it back to their companies.

The WiFi itself was merely a luxury we offered to encourage business people to
stay in the properties because "WiFi available" made for better
advertisements.

~~~
ubernostrum
The "10k for 3 days" is not the type of charge for a guest using wifi in a
room. It's the type of charge for a large event using wifi in the hotel's
convention/conference center. And that number is not so far off what a lot of
places charge for such things.

~~~
stevenjohns
Even with multi-day conferences, we never charged rates that high. That is
still charging about ~$7.40/person/day for a 450 person conference.

~~~
ubernostrum
I regularly help run events which have 500-ish people on the extreme low end,
and 1000-1500+ and sometimes even larger on the high end. The quoted rates do
not sound that far off from what I've seen.

Heck, I know one convention center that charges $1500 just to hang a small
banner over the door of the ballroom with your event's logo on it.

------
minimax
This kind of functionality is available in most commercial wirless controller
hardware. See e.g.
[http://www.cisco.com/c/en/us/support/docs/wireless/4400-seri...](http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-
wireless-lan-controllers/112045-handling-rogue-cuwn-00.html#RM)

So it's not clear whether Marriott was intentionally being nasty or some over-
eager CCNA just turned on all the bells and whistles he could find.

~~~
kens
Given the FCC's argument against Marriott, wouldn't it be illegal for Cisco to
sell this now? (I'm not a lawyer, but 47 U.S.C. § 302a(b) makes it illegal to
manufacture, import, sell, offer for sale, or ship noncompliant devices, and
that document describes a feature whose specific purpose is to interfere with
WiFi.)

~~~
Someone1234
IANAL but, it is kind of a grey area. That functionality is only designed to
be used on a device which is attempting to spoof you (i.e. a device already
disrupting WiFi).

So is it a disruption feature if in effect it neutralises disruption when used
correctly? As I said, it is a grey area.

~~~
tjohns
Interestingly enough, Cisco's own docs mention that there are some legal
issues, especially when used against neighboring networks:

> "Containment can have legal implications when launched against neighboring
> networks. Ensure that the rogue device is within your network and poses a
> security risk before you launch the containment."

The wording in the FCC Consent Decree in this case suggests that this feature
would actually have been okay if it was being used against actively hostile
networks:

> "Specifically, such employees had used this capability to prevent users from
> connecting to the Internet via their own personal Wi-Fi networks when these
> users did not pose a threat to the security of the Gaylord Opryland network
> or its guests."

------
jawns
One thing I'm curious about: If it's just actively jamming hotspots that got
the hotel in trouble, couldn't hotels instead use physical materials to
construct conference centers with limited signal?

Like, I know whenever I go into my local supermarket, I'm lucky if I can get a
signal once I venture past the front door. There's no active jamming going on;
it's just the way the building is constructed (I assume).

If hotels really want to force their own Wi-Fi on people, couldn't they do the
same thing -- make use of physical impediments?

~~~
HeyLaughingBoy
Yes the hotel could do these things and the FCC probably wouldn't care since
it's on their own property and doesn't affect anyone else.

However, when you start jamming other people's signals that's in direct
violation of FCC regulations, so of course the hammer is going to drop. I'm
really glad it wasn't just a token slap on the wrist. FCC made it clear that
they are serious about this.

~~~
alistairSH
I'm not sure $600,000 even qualifies as a slap on the wrist. Marriott's
revenues in 2012 were somewhere around $11 billion.

~~~
acmiller
At the very least, it's a lot more money than they made renting wi-fi access
during the event in question. Therefore, this behavior is unprofitable and
will stop.

It's also enough to get the people who decided to do this fired.

~~~
MichaelGG
It'd be about break-even if they have a convention each week, and get 25
exhibitors pay $500 each. So if they had a lot of exhibitors they convinced to
pay, they could have easily made a profit after the fine.

------
jastanton
This seems more like a slap on the wrist than anything. Especially since they
were charging guests up to $1,000 per device to connect to the internet. Wow.
Edit: That's the $/connection point not $/guest. That's a bit more reasonable
then.

~~~
jxf
Just to be clear, it was $250 to $1,000 per hotspot/AP that they were
charging, not per device. (That is, if your convention needs 3 hotspots,
presumably you would pay $750 to $3,000, no matter how many people connected.)

~~~
delecti
Considering a conservative estimate of $1000/week for a single year across a
dozen hotels is already over $600k, this fine is particularly really
meaningless.

~~~
jtbigwoo
Others have stated that it was only one Marriott location. In that case, $600k
would hurt quite a bit.

------
xenophonf
Interesting that sending de-auth packets to shut down rogue (from Marriott's
viewpoint) wireless access points resulted in this fine. I mean, this is a
standard feature of your average wireless intrusion prevention system. We have
something similar set up to control unauthorized or inappropriate network
access, because end users attaching their own networking equipment (and
breaking our network as a result) is a real problem for us.

~~~
xenophonf
I just checked our Meraki configs, and we don't have containment enabled. If
we were to enable it, the only option we'd have would be to disable rogue WAPs
attached to our network. That's materially different from interfering with
other people's hotspots in my mind.

------
qq66
Is it any surprise that companies act like this? They're rarely punished for
malfeasance, and when they are the penalty is barely noticeable.

It's like putting someone in front of a big trough of money and allowing them
to take as much as they want, with the caveat that every few months they will
get a mosquito bite.

------
enraged_camel
This makes me very happy. Even though the amount is fairly small, the ruling
establishes a very clear precedent on what is and is not acceptable. I think
it would definitely make hotels and convention centers think twice before
trying to fleece event attendees with overly expensive Internet connections.

~~~
dedward
You can still fleece them, you can still demand they use yours, you can still
try all kinds of stuff.

You just can't actively jam their use of that spectrum.

------
alimoeeny
Wow, don't know why, but if feels good, to see FCC (or any part of
government), punish someone who is messing with internet connectivity. I must
be very naive in this regard but still feels very good.

~~~
dale386
Marriot made $11.8 billion in 2012. $600,000 is not an actual punishment.

~~~
pslam
$600,000 is enough to make the entire venture very much unprofitable. Whoever
in the management chain was responsible for this will have trouble meeting
their targets, not to mention keeping their job. The PR damage is massive.

The FCC has no place setting fines based on the total size of a corporation.
It seems rather proportionate to me, given that they were attempting to profit
from willful interference, and that's in the ballpark of how much they
probably made. I doubt Marriott, or any other major US hotel chain, will ever
attempt this again. Seems to me the punishment worked, without having to get
dragged into courts, appeals, and legislation if they had, for example, fined
them $1 billion.

~~~
delecti
The document in question mentions them having over 4,000 managed properties,
assuming an average of $1,000/month for each one of those, across the 2 years
between October 2012 and now, that's $96,000,000. I seriously doubt $600,000
is enough to make the venture unprofitable.

Even if I'm off by two full orders of magnitude it'd still be $960,000, and
it's possible I'm undercutting the truth.

~~~
tjohns
It sounds like they were only blocking connections at one specific property
(Gaylord Opryland Hotel and Convention Center in Nashville, Tennessee), which
changes the math a bit.

Also, don't forget the cost of doing compliance audits across all of their
properties for the next three years, which is not going to be cheap either.

------
Zweihander
Almost seems a bit low - thought this was taken 8 figures seriously.

------
transpy
I'm never sure how to understand fines like this one. I don't believe they
actually pay that money. Why aren't there follow-up stories that explain how
the payment process was like? Do the deposit the money? They write a check?
How on Earth is this enforced? What about transparency? Where can citizens
check that the money was indeed paid and how it is being used? With such large
amounts of money, corruption must be an issue.

------
Lord_Zero
Its crazy to me how this would even happen. I just imagine an upper
manager/exec going "Man, if we could only just jam existing WiFi hotspots and
force people into our own for absurd prices. Yeah that doesn't sound the least
bit illegal whatsoever."

------
sauere
Might be a stupid question, but: how did they do this? I mean their own WiFi
must have been operating on the same frequencies (2,4Ghz band as the personal
hotspots ), wouldn't a jammer also disrupt their own signal? /edit: i see,
deauthentication packets.

~~~
FireBeyond
The devices promiscuously listen for MAC addresses, and only send de-auth
packets to those which aren't white-listed or already connected directly to
it, so any packets they see flying around are targeted.

------
joesmo
I'm not surprised. Marriott hotels will do anything for a dollar, including
turning off the air conditioning to both of their hotels (4 and 5 star) in
Cancun, Mexico (a rather hot and humid location) while denying that they had
done so.

------
Istof
hopefully they made less then $600,000 in profits from their access points...

------
gordon_freeman
so I did some calculation here: the fine seems way to small for the number of
people the issue might have been affected.

\-- If Marriott charged minimum $250 for its own wifi then ($600,000/$250), it
paid the fine equaling to 2400 guests.

\-- If Marriott charged maximum $1000 for its own wifi then ($600,000/$1000),
it paid the fine equaling to only 600 guests.

Seems to me that Marriott got away very cheaply.

~~~
icebraining
This was at a single convention center, so 2400 guests doesn't seem that
little. Also, $250 is the price, not the profit margin.

------
cesarb
Would 802.11w have protected the guest from this?

------
ape4
The decision says:

"Wi-Fi is an essential on-ramp to the Internet"

oh thanks for explaining it in electronic superhighway terms. Now I
understand.

------
samim
they should of used a cyborg unplug hardware anti-surveillance device instead
of a jammer: [https://plugunplug.net/](https://plugunplug.net/) it uses FCC
approved hardware and blocks devices based on mac-addresses

~~~
TD-Linux
This would still be illegal to use on customer APs.

------
vaadu
Marriot should have been required to reimburse everyone that paid $250 for a
hotspot.

------
tvhiggins
Gov't lets them pay via credit card? ridiculous govt waste

