On Friday the FCC published DA 14-1444 consisting of an Order and a Consent Decree. Marriott, or specifically the Gaylord Opryland in Nashville, was de-authenticating customer mobile hotspots in the conference areas of the property. This angered our FCC overlords. The ruling has sparked a huge amount of discussion on Twitter.
You can read the FCC order and consent decree here: http://transition.fcc.gov/Daily_Releases/Daily_Business/2014/db1003/DA-14-1444A1.pdf
And the statement from Marriott here: http://news.marriott.com/2014/10/marriott-internationals-statement-on-fcc-ruling.html
Opinions on twitter have been quite mixed. There are some who think that Marriott is evil for interfering with the use of personal devices; and others who think that by simply using up precious RF resources, these devices are pose a security risk and the de-authing is justified.
There have been some good blog posts going further in depth than 140 characters will allow. Hement Chaskar of AirTight Networks does a good job breaking down some of the finer points of the order and consent decree here: http://blog.airtightnetworks.com/fcc-wi-fi-rogue-containment/
Robert Graham brings up a great point about how the FCC is selectively enforcing Section 333 of the Communications Act in his post: http://blog.erratasec.com/2014/10/two-minutes-of-hate-marriot-deauthing.html
I think that an element that often gets overlooked in discussions like these is that certain behaviors on private property, while themselves legal, are still predicated on continued permission to be on said private property. An element of this was brought up in 4th paragraph of the consent decree with the language “… they are not required to purchase these services from Marriott but can instead use other vendors.” If the contract between Marriott and their customers had included language about requiring the use of their services, or prohibiting the use of APs/hotspots while on their property, then this case would either read much differently than it does or it might not exist at all.
The other huge thing that folks aren’t giving enough weight to is that this was not a notice of apparent liability for forfeiture, but a settlement. Large corporations often look at all of the costs of fighting a situation like this, including not just financial costs but also time and public opinion, and weight them against what it takes to “make the problem go away.” It seems to me that this is the situation here. $600,000 isn’t chump change, even for a large multinational, but it was likely the cheaper of the two options.
I’ve seen a lot of use of the word “precedence” used on twitter. I think that there is only one thing that we can call precedence here, and that is that the FCC thought it prudent to take up a case like this and they might do so again. From paragraph 24 of the consent decree: “The Parties further agree that this Consent Decree does not constitute either an adjudication on the merits or a factual or legal finding or determination regarding any compliance or noncompliance with the Communications Laws.” This was Marriott wanting to take their licks and move on rather than being the example case that clarifies if using the 802.11 protocol against someone is jamming.
It will be interesting to see how this evolves; I know I’ll be double-checking my containment settings on Monday. And like many have said, I do hope that the FCC does go through the proper rule making procedure to clarify this situation rather than certifying devices that they later claim to be jammers.
16:40MDT 5 October 2014 – Update: Keith Parsons brought up a good point with the Continental Airlines/Logan Airport FCC Opinion – FCC 06-157. I don’t completely agree that this is the same situation as in FCC 06-157, as the Marriott situation was not a long term lease, and the complainant was an attendee. Still, it was an example of the FCC getting involved in a very similar situation.