FCC Fines Marriott For Jamming Customers' WiFi Hotspots To Push Them Onto Hotel's $1,000 Per Device WiFi
from the sleazy-sleazy dept
Hotel WiFi sucks. If you do any traveling, you're aware of this. Though, from what I've seen, the higher end the hotel, the worse the WiFi is and the more insane its prices are. Cheap discount hotels often offer free WiFi, and it's generally pretty reliable. High end hotels? I've seen prices of $30 per day or higher, and it's dreadfully low bandwidth. These days, when traveling, I often pick hotels based on reviews of the WiFi quality, because nothing can be more frustrating than a crappy internet connection when it's needed. But, even worse than the WiFi in your room, if you're using the WiFi for a business meeting or event -- the hotels love to price gouge. And, it appears that's exactly what the Marriott-operated Gaylord Opryland Hotel and Convention Center in Nashville did. Except, the company went one step further. Thanks to things like tethering on phones and MiFi devices that allow you to set up your own WiFi hotspot using wireless broadband, Marriott realized that some smart business folks were getting around its (absolutely insane) $1,000 per device WiFi charges, and just using MiFi's. So, Marriott then broke FCC regulations and started jamming the devices to force business folks to pay its extortionate fees.In response, the FCC has now cracked down and Marriott has agreed to pay a $600,000 fine for the practice, while also promising to continue to make sure it doesn't make use of jammers and to update the FCC on "compliance" every three months for the next three years. The FCC found out about all of this because a customer sent in a complaint -- though its unclear if the customer just figured it out by themselves, or if some employee at Opryland stupidly admitted to the hotel's practices.
Update: Oh, and I missed the best part, as pointed out in the comments. Marriott is still claiming that what it did was legal... and for the benefit of consumers. Uh huh:
"Marriott has a strong interest in ensuring that when our guests use our Wi-Fi service, they will be protected from rogue wireless hot spots that can cause degraded service, insidious cyber-attacks and identity theft," the statement said. "Like many other institutions and companies in a wide variety of industries, including hospitals and universities, the Gaylord Opryland protected its Wi-Fi network by using FCC-authorized equipment provided by well-known, reputable manufacturers.
"We believe that the Opryland's actions were lawful. We will continue to encourage the FCC to pursue a rulemaking in order to eliminate the ongoing confusion resulting from today's action and to assess the merits of its underlying policy."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: fcc, fines, jammer, mifi, opryland hotel, wifi
Companies: marriott
Reader Comments
Subscribe: RSS
View by: Time | Thread
In very general terms, $250 a day for wi-fi seems high, but in convention space terms, it seems pretty much par for the course. Most hotels with WiFi intentionally make sure that the service is NOT available in their convention spaces, and charge for connectivity - installing a wireless modem in your conference room, as an example.
Marriott certainly went over the top here, I guess just pure profiteering wasn't enough for them.
[ link to this | view in thread ]
I suppose rich people have too much money to think for themselves, eh?
And actually, I would be a fool if I paid (really?) $1K/day for WiFi... Jeepers, for a thousand dollars you could buy a no-contract cell phone, a no-contract/burner SIM card, and use the phone as a WiFi hot-spot. Bonus: you don't have to worry about whether the hotel set up the security well (usually they don't).
[ link to this | view in thread ]
Whistleblowing?
I can't believe our Mike is the only potential customer of that hotel that might be unhappy about the insane profiteering and broken connectivity that even the non-technical folks are increasingly taking for granted.
[ link to this | view in thread ]
Re: I suppose rich people have too much money to think for themselves, eh?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
"...they will be protected from rogue wireless hot spots that can cause degraded service, insidious cyber-attacks and identity theft,"
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: "...they will be protected from rogue wireless hot spots that can cause degraded service, insidious cyber-attacks and identity theft,"
[ link to this | view in thread ]
Re: "...they will be protected from rogue wireless hot spots that can cause degraded service, insidious cyber-attacks and identity theft,"
Just another friendly service we here at the Marriott Hotel provide.'
[ link to this | view in thread ]
Fixed that for you. No need to assume that every employee at the hotel is a criminal. There might be one or two who are kind, law abiding citizens.
[ link to this | view in thread ]
Re: Re: "...they will be protected from rogue wireless hot spots that can cause degraded service, insidious cyber-attacks and identity theft,"
[ link to this | view in thread ]
On the other hand
A convention is a great place to do this, especially if the scammers name their wifi "FreeMarriott" to confuse people into thinking it's the one owned by the hotel.
So Marriott may seem heavy-handed by doing this, but what's their liability if someone got infected (especially using a *business* laptop) when the person connected to the fraudulent "FreeMarriott" wifi?
[ link to this | view in thread ]
Custormers Still Screwed - didn't see anything about refunds!
This really doesn't suprise me though... if the service they did deliver was fast .. then 1000$ to hook up your own wireless so you could hand it out to attendees would be ok... but if it's for one client device, that is insane.
My firm has done numerous trade shows, normally we have to pay fee these days for decent internet connections (usually cable), 4-500$ for a week long show. It's all part of the space/booth fee.
Not long ago though we had to bring in our own connections - usually IDSN or if we were lucky DSL. Local telco would wire us up a circuit for the duration of the show.
[ link to this | view in thread ]
Re: Re: I suppose rich people have too much money to think for themselves, eh?
I stayed at a small chain hotel out on the fringe of the city where my alma mater is located. The lady running the desk was almost indecently insistent with making sure I knew the (free) wifi password. Contrary-wise, when I stayed at a swanky hotel downtown in the same city, not only did they charge more for wifi than they charged for parking, but they were "perplexed" that despite their claims that I could get free wifi because of my cellphone carrier, their system did not recognize said condition. After saying that it should work, they helpfully offered to charge me the full rate for wifi instead (?!?!). At least the co-ed running the desk had the decency to blush when I gave her the hairy eyeball for that piece of BS.
[ link to this | view in thread ]
Re:
If that's correct then it's worth noting that when Marriott does this they get fined chump change...but if a hacktivist did this (OMG anons anarchists political activists aiaiieiieeieyeee) they'd get their door kicked down, they're be beaten, they'd be tasered, they'd have every electronic device they own confiscated, they'd be charged with multiple felonies, they'd be perXXXprosecuted by vicious grandstanding federal assholes and have their lives destroyed.
[ link to this | view in thread ]
Re: I suppose rich people have too much money to think for themselves, eh?
[ link to this | view in thread ]
Nothing New for Them
Before wifi was widespread, you had to deal with the venue for trade show or in room network access. Lately wired in room is going away and the wifi is slow and capped at slow rates. I recently found (at a different hotel) the free lobby wifi was 5 time faster than the in room service. It makes a big difference when you have gigs of photos to upload to waiting editor.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Hotel Wifi
[ link to this | view in thread ]
[ link to this | view in thread ]
Betcha Marriott made far more than $600,000
[ link to this | view in thread ]
Re:
Oh, ok ... nevermind. Nothing to see here, move along.
Apparently customers go elsewhere when dissatisfied.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: I suppose rich people have too much money to think for themselves, eh?
The room wifi wouldn't be very expensive at all.
[ link to this | view in thread ]
Food for thought.
[ link to this | view in thread ]
The FCC is asserting that deliberate interference with radio communication, "jamming", is not allowed. Period. Full stop. You can use the bands without a license, subject to ERP (power) limits. You can even heavily use the bands. But you can't do something to deliberately block someone else from using the spectrum, even if you handwave and say that it's pretty much like just using the band.
[ link to this | view in thread ]
Re: Re:
No. You are wrong. I strongly suggest that you acquaint yourself with the relevant Federal law -- in particular, the Communications Act of 1934. I strongly suggest that you cease advising clients to enable such features until you have properly educated yourself on the relevant statutes and FCC regulations, as what you're currently telling them to do is a violation of US federal law.
[ link to this | view in thread ]
Re: Hotel Wifi
:-P
[ link to this | view in thread ]
Re: Re: Re:
Internet via their own personal Wi-Fi networks when these users did not pose a threat to the security of the
Gaylord Opryland network or its guests. "
I suggest you go into any Hospital or business that is covered by PCI and uses WIFI that does not deauth unauthorized wifi hotspots and convince them that they are better off not protecting their networks by tossing aside security best practices and NIST guidance and see what that get. I am confident the FCC specifically stated the lack of a security threat due to the fact that many security standards require the deauthorization of unauthorized traffic. I will continue to recommend clients de-auth traffic within their networks without losing sleep. I agree that the law may read that way but there is way too much on the line from a security standpoint to go against best practices within a regulated data environment to worry about the FCC in that scenario. Other government agencies would consider the lack of that security negligence.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
In the context that the law was written, it's reasonable to assume that they're talking about radio interference, which this is not. If I walk down the street asking people to hang up their phones, that doesn't make me a human cell phone jammer.
[ link to this | view in thread ]
Oh...the "Everybody else is doing it" defense.
They're all scumbags, and by using each other as examples to legitimize themselves, they're being even scumbaggier.
Case in point: Data-caps in wireless telecommunications.
[ link to this | view in thread ]
When I am on the road . . .
to feed me screens of the fast connection. It's faster than doing it directly to the 'net through the hotel connection.
I am doing that right now.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re:
Everyone who actually knows what they're doing -- which clearly excludes ignorant morons like you -- is perfectly capable of locking down environments without resorting to the kind of crude, ineffective tactics you're recommending. You're a disgrace to the profession of IT security. Get out.
[ link to this | view in thread ]
Re: Re:
This isn't something that you can easily, technically, ignore.
Ignoring DEAUTH packets is a violation of the RFC, and generally causes bad thingsTM to happen. How do you manage entering and leaving a WIFI cell without DEAUTH? How do you handle an access-point going off-line, switching channels, etc. And how do you handle trade-offs between access points. If your solution is to just ignore it, you are potentially performing a denial-of-service against your own connection, or causing harm to the WIFI network you are connected to.
There isn't any way to ignore DEAUTH packets using standard available drivers right now, though you could modify firmware/drivers to accomplish this. There is work being done on implementing real management frame authentication capabilities through 802.11w, though I am not aware of any equipment that currently provides this capability.
If I walk down the street asking people to hang up their phones, that doesn't make me a human cell phone jammer.
If you walk down the street asking people to hang up the phone, they still have a choice to ignore you, punch you in the face, etc. You aren't jamming their phone connection. With deauth packets, you are jamming their connection, and the FCC rightly doesn't like the jamming of public airwaves.
What would be really interesting, in a situation similar to this one, is what would have happened on the Hotel side if the people being jammed just turned around and jammed the hotel right back. Would the hotel be screaming for the cops to intervene when their WIFI network was taken down?
[ link to this | view in thread ]
Re: On the other hand
Why should Marriott or anyone else care what is being done on anything other than their own WIFI? If someone sets up a "FreeMarriott" access point on their property, they can ask that person to leave, but they don't have any legitimate reason to care if someone sets up "FreeMarriott" in their personal vehicle sitting on a public street broadcasting next to the hotel (except maybe for use of Trademark.) What is worse, is that scammers don't need to create something called FreeMarriott to scam, all they really need to do is break into Marriott's poorly locked down computers or sit on their WIFI and sniff the unencrypted traffic and they are done.
If the hotel really wants to prevent this from happening, provide the user with a WPA2-PSK key to use to connect to the hotel wifi, or even set up RADIUS, create an account for the person checking in, and give them their own key to connect to the WIFI using WPA2-Enterprise, and call it a day.
There is no legitimate reason to use DEAUTH jamming; none. Not even for protecting your own WIFI. It is only used by heavy handed monopolists and petty bureaucrats.
[ link to this | view in thread ]
Re:
I'm not excusing what Marriot did in anyway...
[ link to this | view in thread ]
Re:
Jamming the airwaves is absolutely legal, as long as the FCC grants its specific approval, and the jammers stay within the authorized parameters set by the FCC license. But whether the FCC actually grants such approval is another question.
At least that was way the system worked with 'analog' radio, presumably digital would not be too much different.
[ link to this | view in thread ]
Re: Re:
I'll just leave this right here.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
=====================================================
As containment renders any standard 802.11 network completely ineffective, containment
measures should taken in your airspace. Extreme caution should be taken to ensure that
containment is not being performed on a legitimate network nearby and, action should only be
taken as a last resort. Unauthorized containment is prosecutable by law (subject to the FCC’s
Communications Act of 1934, Section 333, ‘Willful or Malicious Interference’).
===================================================
However PCI standards require you take this into account:
--------------------------------------
PCI Compliance
Understanding and remediating against wireless threats is also a requirement under the Payment
Card Industry Data Security Standard (PCI DSS), a standard required for retailers to follow when
processing credit card data over WLAN networks. Examples of WIPS requirements under PCI DSS
include:
Section 9.1.3 Physical Security: Restrict physical access to known wireless devices.
Section 10.5.4 Wireless Logs: Archive wireless access centrally using a WIPS for 1 year.
Section 11.1 Quarterly Wireless Scan: Scan all sites with card dataholder environments (CDE)
whether or not they have known WLAN APs in the CDE. Sampling of sites is not allowed. A WIPS
is recommended for large organizations since it is not possible to manually scan or conduct a
walk-around wireless security audit of all sites on a quarterly basis
Section 11.4 Monitor Alerts: Enable automatic WIPS alerts to instantly notify personnel of rogue
devices and unauthorized wireless connections into the CDE.
Section 12.9 Eliminate Threats: Prepare an incident response plan to monitor and respond to
alerts from the WIPS. Enable automatic containment mechanism on WIPS to block rogues and
unauthorized wireless connections.
------------------------------------------------
So you both have points.
[ link to this | view in thread ]
Re: Re: Re: Re:
The Bureau investigated the complaint in order to assess Marriott’s compliance with Section 333
of the Act. In the course of its investigation, the Bureau discovered that one or more Marriott employees
had used the containment capability discussed in paragraph 5 in a manner that the Bureau believes violates
Section 333. Specifically, such employees had used this capability to prevent users from connecting to the
Internet via their own personal Wi-Fi networks when these users did not pose a threat to the security of the
Gaylord Opryland network or its guests
If the FCC truly wanted to make WLAN Deauthentication illegal they would not imply there are manners that do not violate section 333. They also would not be just going after Marriot they would be fining Cisco, Motorola, Aruba, ETC that market the technology in the US as they have with companies marketing cell jammers.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: I suppose rich people have too much money to think for themselves, eh?
[ link to this | view in thread ]
Re: Re: Re:
In addition to complaining about the jamming we are here to complain about the industry norm. If you don't like it you can get lost and find another website to troll or you can start your own blog.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
Citation please.
I am not aware of any NIST guidance that requires WIFI deauth packets be used. NIST SP 800-153 talks about using WIDPS only for monitoring. General NIST guidance is that rogue access points should physically be removed. PCI DSS does not say anything about deploying automated wifi containment, and section 11.1 talks about using IDS/IPS only for monitoring for rogues. The PCI DSS Information Supplement v2.0 talks about using containment, but only against devices that are connected to the CDE. It also recommends physical removal of rogue access points. "Many wireless IPS systems provide the ability to prevent clients from associating with an unauthorized AP or can disable an ad-hoc network. However, efficacy of these techniques varies widely, and while they can provide adequate temporary mitigation of the risk, unauthorized devices should be physically removed from the CDE as soon as possible" - https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guideline_with_WiFi_and_Bluetooth_082211. pdf, section 4.3.1.
And best practices are against you. Note, the last document is a CISCO best practices document, that specifically states "Note that it is critical to evaluate (or avoid altogether) rogue auto-containment, as there are potential legal issues and liabilities if left to operate automatically."
[ link to this | view in thread ]
Re: Re: Re:
http://transition.fcc.gov/pshs/docs/summits/Combating-Contraband-Cell-Phones-in-Prison-Hando ut-v4.pdf
even state government authorities (but not federal) are prohibited from using jammers, as many state prisons have been known to do to stymie prisoners' attempts to communicate via cellular networks. Instead, the FCC recommends cellphone "call capture systems," while insisting that any deployment needs to be authorized by the FCC, or it's illegal.
Also of note, the maker of "Stingray" interceptors lied to the FCC in order to get a license.
http://benswann.com/company-behind-stingray-cell-phone-surveillance-tool-lied-to-the-fcc/
[ link to this | view in thread ]
Re: Re: Re:
The real problem is staring you right in the face and you still completely miss it.
[ link to this | view in thread ]
[ link to this | view in thread ]
the higher end hotels
[ link to this | view in thread ]
Re: the higher end hotels
[ link to this | view in thread ]
Re: Re:
More likely, the Hyatt was jamming the cellular signal to people's phones and Mifis, which is a big federal no-no, cuz big biz interests like Verizon and ATT lose their sheet when that happens.
If the Hyatt were jamming instead the cellular signals that powered the Mifis, then it is absolutely illegal to even transmit any unauthorized signal on spectrum licensed to some wireless carrier, let alone use a jammer.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
Not at all surprised by that, given that they tend to want people to lie and hide the use of Stingray in court or court documents.
[ link to this | view in thread ]
Re: Re: Re: I suppose rich people have too much money to think for themselves, eh?
and the motel-style Marriots. The motel-style Marriots go by names like "ResidenceInn" etc.. Waaay back in 2004, I stayed in the downtown Atlanta Marriot and was charged $10/day for wifi, and later on that same trip I stayed at a Marriot ResidenceInn in Sarasota Florida, and the wifi was free. Seems somewhat backwards somehow...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Nothing New for Them
[ link to this | view in thread ]
Re: Re: I suppose rich people have too much money to think for themselves, eh?
Which is why the management tried to cover up, and then spin. Starting this practice up again would cost them more than they've gouged.
[ link to this | view in thread ]
Beautiful statement. It brought a single, triumphant tear of joy to my eye.
[ link to this | view in thread ]
Re: Re: the higher end hotels
Jamming a person's own service into the bargain is really adding insult to injury, quiet aside from the legalities of the issue.
[ link to this | view in thread ]
Re: Re: Re: Re: I suppose rich people have too much money to think for themselves, eh?
I don't think Marriot operates any motels. Certainly Residence Inn, Fairfield Inn, and Courtyard are not motels.
[ link to this | view in thread ]
If Marriott is concerned about security, they could ensure that only registered guests have access by issuing a password.
If Marriott complains that they cannot offer WiFi for free, because it costs money to install and then has an ongoing cost to operate, I would point out the following. Marriott offers other things for free that cost substantial money to install, and have some ongoing costs to operate:
* Free Air Conditioning / Heating
* Free Color TV
* Free drinking fountains
* Free use of electrical outlets
* Free indoor plumbing
Does WiFi cost as much to install as central air conditioning? Indoor plumbing? Does WiFi cost anywhere near as much to operate as air conditioning? Cable TV?
I won't hold my breath waiting for Marriott's response. But now I realize that I have made a serious mistake by posting this. Marriott will now have additional charges for air conditioning, indoor plumbing, etc. (please don't throw things at me now that Marriott will start charging for these things! I didn't mean to inspire them to create new charges! Really.)
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
Well, first, it isn't their airspace, and they have no right to claim control over it like that. Period. Second, what threat does "an unauthorized wifi access point within their airspace" pose to their networks? None whatsoever -- those hotspots are not connected to the hotel's networks.
[ link to this | view in thread ]
Re: Re:
Legal? That seems debatable, since the FCC is claiming otherwise at least in Marriot's case. Necessary? Not by a longshot.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Except that technically this isn't what Marriot did. They weren't interfering with any radio communication -- all radio transmissions were being allowed to be sent and received without interference.
[ link to this | view in thread ]
Re:
"they need to give people a reason NOT to use their MiFi by giving registered guests free WiFi."
True in principle, but I think it's important to note that this case doesn't involve hotel guests at all. It's the attendees to a conference held in their conference rooms.
[ link to this | view in thread ]
Re: Re:
But as I say, if Marriott was really concerned about . . .
[ link to this | view in thread ]
Re: Re:
> so any kind of radio transmitter device needs FCC approval
The FCC regulates the airwaves. We, the people, own the airwaves, or more properly the spectrum. The spectrum is a limited resource. Like water, forests, and breathable air. Therefore, it should be regulated in the public interest.
(Of course government seems less and less interested in the public interest, but I'm glad that in this instance the FCC is doing its job.)
[ link to this | view in thread ]
The Communications Act of 1934
Section 301 - requires persons operating or using radio transmitters to be licensed or authorized under the Commissions rules (47 U.S.C. § 301)
Section 302(b) - prohibits the manufacture, importation, marketing, sale or operation of these devices within the United States (47 U.S.C. § 302a(b))
Section 333 - prohibits willful or malicious interference with the radio communications of any station licensed or authorized under the Act or operated by the U.S. Government (47 U.S.C. § 333)
Section 503 - allows the FCC to impose forfeitures for willful or repeated violations of the Communications Act, the Commission's rules, regulations, or related orders, as well as for violations of the terms and conditions of any license, certificate, or other Commission authorization, among other things.
Sections 510 - allows for seizure of unlawful equipment (47 U.S.C. § 510)
The Commission's Rules
Section 2.803 - prohibits the manufacture, importation, marketing, sale or operation of these devices within the United States (47 C.F.R. § 2.803)
Section 2.807 - provides for certain limited exceptions, such as the sale to U.S. government users (47 C.F.R. § 2.807)
The Criminal Code (Enforced by the Department of Justice)
Title 18, Section 1362 - prohibits willful or malicious interference to US government communications; subjects the operator to possible fines, imprisonment, or both (18 U.S.C. § 1362)
Title 18, Section 1367(a) - prohibits intentional or malicious interference to satellite communications; subjects the operator to possible fines, imprisonment, or both (18 U.S.C. § 1367(a))
[ link to this | view in thread ]