Rick Hampton, the wireless communications manager for Boston-based Partners Healthcare, has seen the dialogue among network professionals heating up in the wake of the FCC's sternly-worded enforcement warning about illegal Wi-Fi blocking and says it's no wonder the commission is fired up.
He contends that the way in which many organizations have set up their wireless networks, based on overhyped products that have led them to believe anything goes, just won't fly in a world where people increasingly are using personal Wi-Fi hotspots to get safe and easy Internet connectivity over unlicensed airwaves wherever they happen to be. After all, the FCC was created by Congress back in the 1930s to put the kibosh on just such intentional interference of radio devices.
A 42-year veteran of the wireless industry and self-described privacy advocate, Hampton says the FCC was correct to fine Marriott International last year for shutting down convention center visitor hotspots via de-authentication messages. He advises other organizations across various industries to review and if necessary change their practices before they get nailed, too.
Here's what Hampton, who has worked on everything from military systems to medical devices (and has spent time working with the FDA and FCC on wireless medical systems), says about running a wireless network that will serve your organization and not get you in trouble with the government.
To start, what's your general take on the FCC's Marriott case and its follow-up enforcement warning?
It's an unfortunate, but fairly predictable result of what happens when someone doesn't pay attention to the rules and thinks they won't get caught if they break them. For this discussion, let's leave out the issue of how Marriott's monetization of their Wi-Fi network factored into all this. Marriott claimed they deauthenticated customers from the customer's hotspot devices in order to protect Marriott's Wi-Fi network from interference caused by those hotspot devices. But the rules don't allow this. Look at the pertinent part of the rules, contained in Title 47 of the Code of Federal Regulations, Part 15.5:
§15.5(a), means no one has a vested right to use a given frequency any more than anyone else. We must share and share alike. Even if you turned your system on first, you have to share the spectrum with everyone else who comes along later.
§15.5(b) means you can use a frequency as long as you don't cause harmful interference to other users. For unlicensed devices, which include Wi-Fi, the FCC has consistently interpreted this to mean that interference incidental to the operation of a properly functioning device is allowable. Someone using a properly operating hotspot in your vicinity has as much a right to operate their device as you do operating your device, even if the two systems cause problems with each other. Further, the Commission has also consistently interpreted this to mean that intentional interference meant to deny someone else from using the frequency is illegal.
Marriott's case is one where they assumed they had more of a right to the spectrum than other wireless users. Marriott further assumed they could intentionally interfere with the other users to take control of the spectrum. Marriott was wrong on both counts and the FCC fined them for their mistake. (For more on this story, see "Marriott CIO: FCC message on Wi-Fi blocking loud and clear.")
One other note: some people are complaining that disassociation/deauthentication is not the same as interference. Let's take a closer look at that.
Disassociation/deauthentication by an intrusion protection system works by repeatedly emitting a signal from a Wi-Fi device that causes the target device to disconnect from its network, resulting in a repeated interruption to the radiocommunication service of that Wi-Fi device. The rules say:
§15.3(m) Harmful interference. Any emission, radiation or induction that... seriously degrades, obstructs or repeatedly interrupts a radiocommunications service operating in accordance with this chapter.
Comparing the operation of an IPS's deauthentication feature to the definition of harmful interference, it's easy to see that if someone intentionally deauthenticates someone else, the person doing the deauthentication is causing harmful interference. That said, the FCC doesn't require you to share your network with everyone else, so using an IPS to deauthenticate unwanted wireless user devices from YOUR network is legal. Using an IPS to deauthenticate unwanted wireless users from THEIR network is illegal.
The FCC has known about IPS offerings since they first came out. If the Commission believed their existence were illegal, they would have forbade their marketing, importation, sale and use from the very beginning, as they already do with all other forms of jamming devices. The Commission understands IPSes have a legitimate use. Thanks to Marriott, the Commission and everyone else now understand IPSes can have an illegitimate use.
How common do you think the Wi-Fi blocking practices used by Marriott are among other organizations (not just in the hospitality industry)?
Until this happened and wireless engineers began posting their objections on internet sites, I thought this was a rare occurrence. It's pretty obvious now that when the FCC says they're concerned by the number of complaints they've received, they aren't kidding. Not having seen actual numbers, I'm not sure what adjective I would use to describe the magnitude of the problem. It certainly doesn't appear to be an isolated problem, either in terms of raw numbers or in terms of a specific industry.
Why do you think that's the case?
One reason is because very few wireless engineers have read and understand the FCC's rules for operating Wi-Fi systems or other unlicensed devices. The comments being posted certainly support this conclusion. Most Wi-Fi engineers seem to think they only need to concern themselves with microwave ovens, Bluetooth devices and Wi-Fi hotspots. They have no idea they are also required to share the spectrum with amateur radio, remote TV broadcasting, radio-navigation, and others... with Wi-Fi being on the bottom of the regulatory heap. It only takes one careless user, like Marriott, to cause problems for everyone.
If your only understanding of FCC regs and RF systems comes from one of the wireless networking certification programs or what the vendors tell you, which seems to include a significant percentage of the wireless engineers, you may not sufficiently understand enough to question the vendors' marketing material. By far, the best wireless engineers I've met either have an amateur radio license, prior military communications experience, or have spent as much time learning how the RF portion of their systems work as they have learning how the software portion works.
Wireless engineers need to understand they are responsible not only for the technical operation of these systems, but the legal operation, as well. They need to understand all the rules and regulations involved, not just channelization issues mentioned by the vendors. They need to push back harder against vendors when things aren't as they seem. As the Marriott case shows all too well, ultimately it is the responsibility of the person/entity deploying the system to ensure they got things right. I'm pretty sure that somewhere, a wireless engineer rues the day he realized he could use his IPS against other spectrum users. Everyone else should work to avoid repeating his mistake.
What role do the WLAN product vendors play in all this? What should they do going forward?
In my opinion, the Wi-Fi vendors have done a terrible job of marketing their products properly and responsibly. They do their best to present their products as technology so advanced, they're magical, one-size-fits-all solutions; you need not concern
yourself with the myriad, tedious details of designing and operating a wireless network. If you do ask about federal regulations or product shortcomings, the vendors pour on the snake-oil to obfuscate the issues. Just sign on the dotted line, click a few buttons and the wireless system will configure and defend itself automagically. Paraphrasing what another engineer told me recently, the wireless vendors have created the expectation that Wi-Fi has endless possibilities without any drawbacks.
In the real world, Wi-Fi operates under the laws of physics and is neither limitless, nor perfect. Designing wireless systems, especially Wi-Fi, requires optimizing trade-offs in coverage, capacity, speed, security, complexity, reliability and affordability. Rather than recommend systems designed to extract the maximum cash from each customer, vendors must work with customers responsibly to design wireless systems optimized for the customer's requirements. This is especially true in hospitals and healthcare. I've seen vendor recommendations that would likely violate not just FCC regs, but FDA medical devices regs, too. If the wireless engineers and hospital staff don't know the rules, patients could suffer. Wi-Fi can do a lot, but it has limits. Sometimes, those limits means Wi-Fi is not the proper technology for the job.
Simply put, wireless product vendors and wireless engineers must take seriously the need to design wireless systems properly and responsibly, especially when designing and operating in critical environments.
How does your organization handle Wi-Fi management and security, and specifically, how do you deal with Wi-Fi hotspot users near or within Partners facilities?
From day one, we understood we would have to share the radio spectrum with other users; that is to say, we knew the rules did not allow us to claim ownership of the radio spectrum or priority above anyone else. We knew we were allowed to protect our network from malicious activity, but if others were using the spectrum in good faith, we had to respect their legal right to use their equipment, too.
As it pertains to neighboring networks and Wi-Fi hotspots, we don't try to maximally exploit our infrastructure. We intentionally leave overhead so if someone else is using the same spectrum, the infrastructure's collision avoidance protocol can function properly. We also understood from the beginning the best way to control interference from other stations is to host them on your network. There isn't a lot you can do for neighboring APs, other than design your system with the appropriate link budgets. To deal with hotspots in our environment, we offer free Wi-Fi access. Most people are happy to use the free Wi-Fi and we don't have those hotspots banging away against our network.
Only twice in twelve years have we had problems with neighbors that we couldn't unilaterally mitigate with sound engineering. The solution was simple. I walked over, knocked on their doors, introduced myself and explained what was going on. I knew that due to the property of reciprocity, if their system was interfering with my system, my system was interfering with their system. We had a mutual reason to work together and it took only a few days to reconfigure our systems to coexist. We haven't had any problems of this nature since. There was no way that relying only on automated management systems would have resulted in this outcome.
Finally, if the application is absolutely critical, for example if a patient's life could depend upon it, we don't use Wi-Fi. Those applications go on a wire. There are a few notable exceptions where we work hand-in-hand with a medical device manufacturer to install their product to exacting specifications and design our system to avoid theirs. Otherwise, we follow the FCC's plan in those respects. We don't offer an SLA for Wi-Fi. We tell staff to use it the best they can, but understand we share the spectrum and can't control every aspect of it. Not understanding this aspect of wireless seems to be the biggest flaw for most users. There are some interesting and tragic reports in FDA databases covering the last few decades, showing how patients have been harmed or met an untimely demise because someone put too much faith in the magic of wireless systems... usually when sending medical alarms to staff. We should all pay great heed to those reports before marching off to Utopia, hand-in-hand with our wireless vendors.
Are you yourself a hotspot user, and if so, under what circumstances do you employ the technology?
Yes, I am a hotspot user. I am, after all, the Wireless Manager and I spend a fair amount of time on the road working with our various hospitals, clinicians and vendors, giving presentations, etc. To stay in touch, I tether my devices to my cell phone. When I have the option, though, I tether via a USB cable, rather than use Wi-Fi or Bluetooth. The cable affords me extended battery life on the phone, less interference from RF congestion, and greater security. I make it a habit to NEVER use free Wi-Fi services.
Being a bit of a privacy advocate, in addition to the smart phone and laptop provided by my company for work, I also have a phone and tablet for personal use. Yes, I carry them all. My avoidance of free Wi-Fi extends to not using the WLAN in our hospitals for my personal devices. Call it paranoia resulting from years in military Combat Communications, dealing with communications security and electronic countermeasures, and then mixed with ensuring the security of our medical devices at work. And, if you really must know, I spent a week last year installing Cat6 drops in almost every room of my home. Wireless is OK, but if you REALLY expect performance, reliability and security, nothing beats a wire.
If organizations are currently using Wi-Fi management/security techniques that would run afoul of FCC rules, how easy is it for them to shift to a different approach? Are we talking rip and replace or fairly manageable revisions?
If someone is concerned they are currently running afoul of FCC rules, the good news is, it's not a "rip and replace" process to get back on the right side of the law. Assuming the entity concerned hasn't gone completely off the rails, it should be a fairly simple matter of turning off the offending services and reconfiguring a few settings. The bad news is, someone will need to tactfully realign the expectations of the end users with reality. That's hard enough when you do it up front, like we do. It's worse with the embarrassment of having to retract from your previous position.
How easy is it for an organization to work with the FCC to get guidance on their wireless network setups?
It's not impossible, but it does take patience. Remember, the FCC is a large, government bureaucracy. They are responsible for a lot of items, some news-worthy and most not. Things you might have heard on the evening news include network neutrality, mergers of cable companies and cellular companies, Janet Jackson's wardrobe malfunction, etc. They get a LOT of phone calls and a LOT of email. Because of this, it's hard to get someone on the phone, or to receive an instantaneous response to your email. But someone will respond. I can't think of a single instance where I've felt ignored. I think the longest I've had to wait has been a couple of days.
If you do ask for assistance, use common courtesy. When you hear from them, don't argue or play "20 Questions" trying to find a loop-hole, if you don't like their answer. Unless you get lucky, the people on the phone or email are not the people who made the laws, they're just the ones trying to help you understand them. If you really feel you need to change the rules, learn how to submit a proper petition for consideration.