The counterargument is keeping packet headers (i.e. remote IP addresses) and plaintext DNS queries private, but that's already the use case of a VPN. Even if it's just a "VPN" to your own home router. And then it protects you even against the operator of the access point (or someone impersonating it because, as usual, the passphrase is widely distributed).
Not to mention that most protocols in current use at minimum leak metadata. There would need to be a standard for an automatic authenticated VPN supported by hotspots and operating systems. Regular users shouldn't need to perform complex setup procedures.
And at that point, while I do like the seperation on concerns provided, why not just fix or replace WPA?
Meanwhile the guest users should have their own external VPN to protect them from you, which they should only have to set up once for all networks.
As long as you're legally responsible for the traffic coming out of your network, this is not a good thing to do. Unless people explicitly get the same protection an ISP gets, I'll keep advising them to not to share their connection openly.
That is obviously a jurisdiction-dependent legal question and anyone concerned about it should consult an attorney.
But if you're suggesting that, for example, the CDA or DMCA safe harbors only apply to Comcast and not book stores or auto shops or anyone else that provides public WiFi, I would be interested to see a citation for that.
But even with just DMCA to be a safe harbour you need to: have a service policy, show it to the users, have the possibility to prevent access for identified violations, and effectively keep some kind of connection record to be able to identify which users you need to terminate. I doubt anyone fulfills that at home. (I don't think shops and cafes do either)
It's even possible that not providing public access may increase certain risks. If you restrict access and someone guesses/cracks the password and does something terrible, that may make it harder to argue that it wasn't you.
I'm also not sure where you're reading the requirement to identify the users. There are many sites (e.g. Slashdot) where users can post anonymously (and via Tor or equivalent). Are you saying they don't qualify?
They have some info here:
But notice that half the page is dedicated to extra-legal ISP shenanigans, which brings us back to routing your whole internet connection (guest net included) through a VPN. Which, again, you probably want even if you're the only one on your connection. It's not as if copyright trolls are renowned for their accuracy in targeting only people who are actually infringing something.
Not identify as in get their names. Just identify enough to know when they come back. Knowing which MAC to filter would probably be enough.
> First, the service provider is expected to adopt and reasonably implement a policy for the termination in appropriate circumstances of the accounts of subscribers of the provider’s service who are repeat online infringers of copyright.
You'd need to also identify which device was infringing by getting a connection time/destination.
I still don't see where it says you have to do that. Your link doesn't seem to say anything about it.
I question the value of MAC address blocking in general. Anyone can change their MAC address and popular systems are even using MAC address randomization by default now.
And in a physically local context like this, couldn't you just tell the person they're not allowed to use your wireless anymore, or remove them from the property?
The issue is who has to identify the user. If all they gave you was your own IP address with no accurate timestamp or ports, you wouldn't even be able to get the effectively-useless MAC address, even with the connection records most people don't keep. If they gave you the user's legal name (e.g. because the user signed up for the file sharing service with it) then you wouldn't need any connection records.
> couldn't you just tell the person they're not allowed to use your wireless anymore
The context we started with is wifi open to the public. You've never met your users and you may never see them (directional antenna from a distance), so the legal name is not useful either.
The situation where you know the users is much simpler.
You're thinking like a sysadmin. Think like an organization.
Compare the situation where you have a public space where everyone is welcome except Bob, because when Bob was there in the past he caused trouble and was asked never to come back.
You don't have to post guards checking ID because Bob knows he's not invited and the laws against trespassing deter him from showing up.
> The context we started with is wifi open to the public. You've never met your users and you may never see them (directional antenna from a distance), so the legal name is not useful either.
Seeing isn't required for telling. If you have the legal name, why can't you send a certified letter telling them they're not allowed to use your network anymore, then if they continue you call the police?
TLS for example is layered on top of Layer4(tcp/udp). It's not part of the tcp standard or something.
Wifi or wired,Segment level security should have it's own layer on top of or under Ethernet. Maybe 802.11ae falls under this?
Then I guess people would crack the VPN auth protocol.