
$718K penalty against M.C. Dean for blocking Wi-Fi devices (2015) - adammunich
http://transition.fcc.gov/eb/Orders/2015/FCC-15-146A1.html
======
Sephr
This wouldn't be an issue if WiFi APs enabled IEEE 802.11w-2009 protected
management frames by default. Most consumer routers have supported this for
years, but have it disabled by default.

Android's built-in hotspot functionality still doesn't support this at all,
and hotspots are the main thing here being targeted by hotels. If you want to
see this fixed in Android, consider starring this issue:
[https://code.google.com/p/android/issues/detail?id=197440](https://code.google.com/p/android/issues/detail?id=197440)

~~~
vlan0
I have not had much success implementing 802.11w. Either the wireless
manufacturer or the client device implementation tends to be buggy. My most
recent case is between Extreme Network 802.11ac APs and any MacBook Pro.

It's left me scratching my head as to why a protection mechanism such as this
isn't mandatory by now. Because mandating aspects of the protocol seems to be
the only sure way of easing compatibility woes.

~~~
cesarb
I just read somewhere that 802.11w is mandatory for the Wi-Fi Alliance
802.11ac certification. If true, the compatibility should get better.

------
simonh
I have to say that while I am against hotels engaging in this sort of
activity, I find the dissenting opinion by Ajit Pai pretty compelling:

>But because of the shared, "commons" model that applies to all unlicensed
operations, the Commission has >repeatedly held that "interference caused to a
Part 15 device by another Part 15 device does not constitute >harmful
interference."

In other words because the spectrum is unlicensed and because the
transmissions were conformant with the part 15 spec, any such operation
following the spec is allowed. How they can then they find that the Hotel was
causing harmful interference is a bit troubling.

Clearly in everyday language we could describe what the hotel were doing as
harmful, but the whole point of unlicensed spectrum is that it's a commons
free-for-all. When wifi gets degraded to usability at trade shows because
everyone's wifi is interfering with each other, nobody calls the FCC and files
complaints about harmful interference.

Also it appears the FCC have been previously explicitly asked if deauth
broadcasts like this are disallowed, and specifically chose not to make a
ruling. It makes me wonder what the heck is going on over there. Has this
issue become a political football between different factions over at the FCC?

~~~
retSava
While I'm not a lawyer so I can't speak for how the law looks like, there is a
clear difference in intent. The many users wifi interfering with eachother is
not by intent, the de-auth packets is nothing but intent to interfere.

~~~
VLM
The legal phrase is harmful interference.

47CFR15.5(b) talks about transmit and receive. People intentionally mis-
interpret the receive section as somehow referencing transmission. The
transmit side is as follows: "Operation of an intentional ... radiator is
subject to the conditions that no harmful interference is caused"

47CFR15.3(m) Harmful interference. Any emission ... that ... seriously
degrades, obstructs or repeatedly interrupts a radiocommunications service
operating in accordance with this chapter.

It is true that on the receive side you have no legal protection according to
15.5(b). However transmitting a jamming signal is quite illegal.

Its very strange, like imagine two laws, one says its illegal to shoot at
people, the other says you have no legal protection if you stand in front of a
bullet. Then everyone exclusively quotes the latter stating its perfectly
legal to shoot people, despite the former explicitly prohibiting that specific
act.

The FCC doesn't send men in black in vans when people interfere with aircraft
navigation for fun or because they're nice guys, although they are, but
because they're legally obligated to do so because those parts don't have "too
bad so sad" written into the legal code. All the "you're screwed if you're
interfered with" in part 15 means is the FCC is not legally obligated to send
in the men in black suits and vans solely for part 15 complaint issues. It
doesn't mean interference is legal under part 15 rules, in fact the line right
next to it explicitly states it is not legal and if by some miracle you're
caught you are in big trouble.

------
pmontra
This is from 2015. Did they pay the fine?

Interesting article from spring 2016
[http://www.networkworld.com/article/3042454/mobile-
wireless/...](http://www.networkworld.com/article/3042454/mobile-wireless/wi-
fi-hotspot-blocking-persists-despite-fcc-crackdown.html)

------
terom
Are there exceptions to this rule, i.e. legit uses for deauth mechanisms?

> Marriott admitted that the Wi-Fi users it blocked did not pose a security
> threat to the Marriott network.

> Similarly, Smart City submitted no evidence that the deauthentication was
> done in response to a specifically identified security threat.

It seems to me like it might still be okay to use WiFi deauth to automatically
defend your network against security threats, such as foreign APs advertising
the same SSID as your network?

~~~
tinus_hn
Imagine if this were allowed. Would you accept it if someone else did the same
to you, for instance a hotel guest would deauthenticate your use of your SSID?

Since no one owns the frequencies no one owns the SSIDs and there is no way to
specify who is the legitimate user and who is the adversary. The only solution
is if any one party just does not interfere in the business of the other.

~~~
halomru
That's easy enough to solve: you are only allowed to defend your SSID if you
have taken reasonable steps to minimise the chance of a random name collision,
and if this is really the most reasonable answer given your threat model.

For example you can't block all "Netgear WLAN" hotspots, but you can block all
"Hotel Sunrise NY Guests" networks. And you can not block SSIDs similar to
your private network simply because you are too lazy to specify the routers
MAC in all your five devices.

~~~
darkarmani
> Hotel Sunrise NY Guests

But what if we are "Hotel Sunrise NY Guests"? Why wouldn't i use that name as
a guest? I think if you want defensible randomization, you actually randomize
it.

~~~
nucleardog
No. Because these are realistic rules enforced by real and reasonable people.

If you walk into Hotel Sunrise and start walking up to people and saying "I'm
with Hotel Sunrise Guest Satisfaction, can I ask you some questions?" the
defense "Well, I'm a Hotel Sunrise Guest and it was for my Satisfaction!" is
not going to absolve you of any consequences that arise.

------
NateyJay
I'm glad the FCC is taking this stance, but I'm curious why the hotel can't
make "you consent to receive wifi deauth frames" a condition of entry. They
let corporations put "you will not sue us" in EULAs, after all.

~~~
Animats
Because it's a criminal offense. The illegal act is _sending_ signals which
willfully interfere with communications.

Also, the FCC determined that those clowns were jamming the Wi-Fi of buses
passing the convention center.

~~~
NateyJay
But if the convention-goers "agree" to receive deauth frames as a condition of
entry, it's an expected transmission desired by the recipient, so not
interference. Of course, if they block people outside the building, there's no
justification.

~~~
jfoutz
You can't have a contract that specifies illegal things. Well, you can, but
the government will decline to enforce it.

~~~
NateyJay
But surely two parties can agree to send deauth frames between each other, for
testing, development, etc. What makes this materially different?

~~~
ac29
Sure, you can deauth all you want for testing and development inside your own
home or business where you arent bothering anyone. You cant "test" your deauth
technology by blocking every single AP in range at a conference center, then
extorting hundreds or thousands of dollars to get access to the only
authorized networks. If you cant see the difference between the situations,
then go read what the FCC letter says again.

edit: Imagine if this convention center entered into an exclusivity agreement
with Verizon, then jammed the frequencies used by the other cellular carriers.
Would that be OK?

~~~
necessity
Charging for a service that one can reject paying for is by definition NOT
extortion.

~~~
TeMPOraL
Imagine you meet an entrepreneur who has a gun and proclaimed he'll shoot
everyone in sight by default, but that he provides a service in which he can
exchange the bullet for the "BANG!" flag for a small fee. It's not extortion -
you're free to refuse the service after all.

~~~
necessity
That's not at all the same case, you're being threatened. I'm impressed at the
dishonesty on this one.

Imagine you're at a hotel, you can access their WiFi but you have to pay for
it. Imagine you're at another hotel, you can use their pool but you have to
pay for it. Are you being extorted? No. That's a better example.

~~~
TeMPOraL
Yes, but in your example you need to add that I have with me an inflatable
pool that magically doesn't spill, and the federal law allows me to use it
instead of hotel one - and I get kicked out of the hotel for actually using it
(or worse, they make my magic water supply stop supplying water).

------
edoceo
I've observed this at other trade show facilities. Next time I'll trap logs
for the FCC to. Tax dollars at work.

------
ar7hur
"M.C. Dean charged $795 to $1,095 for access to the Wi-Fi it provided"

That's so outrageous.

~~~
coleca
We did a trade show in Minneapolis' convention center a few years back and had
the same issue. We were charged ~$1200 for a few days of Wifi access from
SmartCity. Even though we paid for them to allow us to use our Wifi AP (Cisco
enterprise AP, not some consumer gear bought at BestBuy) we still had to beg
and plead with their on-site network engineers to get them to stop issuing de-
auths on all our traffic. Then again, you have to pay hundreds of dollars to
have a trash can in your booth as well. These venue are such a racket it's
ridiculous.

------
ac29
I wonder if there was any action taken against the vendor of this equipment,
Xirrus. The FCC clearly identifies that this feature was marketed by Xirrus as
a "shoot first and ask questions later" aggressive anti-AP technology. There
does not appear to be any legal way to use this feature, so hopefully the FCC
at least sent them a warning.

~~~
windowsworkstoo
Every enterprise wireless vendor has this ability. Further there are
definitely legal ways to use this, if not in the US then certainly elsewhere.

------
imgabe
Hmm. What's interesting is MC Dean is an electrical/telecommunications
_contractor_. They would be responsible for doing the actual work of
installing and maintaining the network equipment, but usually at the behest of
someone else. How did they end up with the liability for this? Did they go off
the reservation and decide to start blocking WiFi on their own, or did the BCC
request for them to do so?

~~~
jahewson
Contractors, especially licensed ones are usually liable for their work. So
too is Marriot, for asking them in the first place, but they settled:

> Marriott agreed to settle the investigation by paying a civil penalty of
> $600,000 and establishing operating procedures to ensure that it does not
> engage in further Wi-Fi blocking

Presumably MC Dean did not.

~~~
imgabe
Right, I just thought they would usually be liable to the owner, and the owner
would be the one legally liable. Now, if the owner got fined because MC Dean
screwed something up, they could turn around and sue MC Dean for the amount of
the fine. But separately fining both the owner and the contractor for the same
infraction seems like double dipping on the part of the government, unless
they're being fined in proportion to culpability or something like that.

~~~
jessaustin
IANAL, but "someone hired me" is not a defense for any crime. Perhaps Marriott
could use ignorance as an excuse for hiring a wireless communication firm to
break a wireless communication law (under the somewhat silly theory that they
are only experts in hotel law), but the wireless communication firm itself
certainly can't.

------
Aloha
I really wish they'd change designing to configuring in the title on this.

------
BuuQu9hu
Does mean that aircrack-ng is now illegal?

~~~
NateyJay
It is if you use it to maliciously interfere with someone else's network.

~~~
necessity
But in this case the hotel owned the network, so it seems it can be illegal
even if you use on your own network, which is absurd.

~~~
throwaway7767
The hotel did not own the networks they were interfering with, that's why the
FCC is getting involved.

------
Kazamai
Would it not be under the authority of a privately owned building to regulate
their own Wi-Fi or radio signals?

For example, a movie theatre, airport or hospital could all have good reasons
to block radio signals.

~~~
jdbernard
As I understand it, ownership of a space does not confer ownership of the
radio spectrum, even within the confines of the space. They don't have the
authority to regulate radio signals at all.

------
punnerud
This is a weakness in the Wi-Fi stack, I can't see than he have interfered
with the signal it self. It is the router and/or the client that have picket
up these signals and misinterpreted them (though they were targeted). The rule
they mean he have broken: ###"harmful interference” as “[a]ny emission,
radiation or induction that endangers the functioning of a radio navigation
service or other safety services or seriously degrades, obstructs or
repeatedly interrupts a radio communications service operating in accordance
with this chapter.###

~~~
nickodell
I think this is the exception that swallows the rule.

Let's say I observe two ham radio operators having a morse code communication.
I decide to stop them from communicating, so I transmit "<callsign 1> QRT DE
<callsign 2>", where callsign 1 and callsign 2 are the callsigns of the two
ham radio operators.

Is this harmful interference, or did one of the ham radio operators just
misinterpret my signal?

~~~
punnerud
I wouldn't trust the "<callsign 1> QRT DE <callsign 2>" if it didn't contain a
secret message, that couldn't be produced by a 3. party

~~~
Sanddancer
In Ham radio, you can't use any sort of secret message like that. Everything
needs to be plaintext.

~~~
ryan-c
I don't think that's correct. Cryptographic authentication of messages should
be allowed (ARRL agrees with me[0]), the language specifies you cannot
"obscure the meaning" of the communication.

0\.
[https://ecfsapi.fcc.gov/file/7520928844.pdf](https://ecfsapi.fcc.gov/file/7520928844.pdf)

~~~
nickodell
That's correct. There's one exception to the encryption rule, which is when
sending commands to a space station. (That does not allow you to encrypt the
responses, though.) See 47 CFR 97.211,
[https://www.law.cornell.edu/cfr/text/47/97.211](https://www.law.cornell.edu/cfr/text/47/97.211)

------
denysonique
I don't really understand why you cannot fully be in control over
electromagnetic radiation that occurs solely in your own private property?
Logically it doesn't make any sense, unless of course there is leakage of that
radiation affecting someone else outside of your private property.

Will we soon be banned from using red light bulbs at home, because their
wavelength is illegal?

~~~
jannotti
Why is electromagnetic spectrum special? A convention center couldn't put
poison in their air, couldn't stab people, couldn't libel anyone, couldn't
cook meth, and couldn't produce patented pharmaceuticals in their own private
property either.

------
pmarreck
Can someone explain the whole wifi deauth thing?

~~~
yuchi
[https://en.wikipedia.org/wiki/Wi-
Fi_deauthentication_attack#...](https://en.wikipedia.org/wiki/Wi-
Fi_deauthentication_attack#Attacks_on_hotel_guests_and_convention_attendees)

~~~
pmarreck
Nobody considered that this might be an avenue for malicious actors? That's
insane.

------
wikibob
I suggest reading the entire notice. The dissenting commissioners do some
serious mental gymnastics to justify their disent.

~~~
bbarn
It sounds more like they are saying "Yes, this is bad, but technically not
illegal under our laws". Sounds more like they are doing their job rather than
being emotional about it.

~~~
jessaustin
Perhaps you are unfamiliar with this idiom. "Mental gymnastics" can be
motivated by emotions, but they don't have to be. It isn't motivation that
makes any particular mental activity gymnastic, but rather it is incoherence.
The commissioner writes as if [0] doesn't exist, even though he probably had
it open in another window on his screen while writing the dissent. Ideology
and avarice were probably more salient motivators than emotion.

[0]
[https://www.law.cornell.edu/cfr/text/47/15.5#b](https://www.law.cornell.edu/cfr/text/47/15.5#b)

------
coldcode
Given that the FCC will be basically eliminated this year, I assume this type
of activity will increase?

------
bwoj
From 2015.

~~~
mjolk
Does this make it less interesting to you? [edit: didn't it was convention to
mark non-current years in titles]

~~~
em3rgent0rdr
That's not the point. The point is the poster should have added [2015] to the
title.

~~~
mjolk
Ah, I didn't know this convention. Thank you for telling me.

