Wireless Community

There have been a number of articles recently ["1":1, "2":2] about a new proposed law in Westchester County (just north of New York City, for those of you who aren’t from around the area) that will require providers of Public Internet services to install secured and firewalled networks. Much of the writing on this proposed law, called the “Public Internet Protection Act”, claim that it mandates that all Wi-Fi networks in Westchester County be encrypted, and that all such networks are also registered with the County.

In reading the proposed law, now available on the County Government’s website”:3, it seems that much of the criticism is a bit overzealous. I called up the County office and spoke with Andrew Newman of the Westchester County Executive’s Office in order to understand the motivations and specifics of the proposed legislation.

The intent of this proposed law is to specifically protect residents of Westchester County from incidents of Identity Theft, a growing concern amount local legislators who feel that (primarily) financial and commerical institutions aren’t doing enough to protect the privacy and financial records of their customers. They are right to be concerned, though it seems that they may not really be addressing the issue, and are certainly mis-identifying Wi-Fi networks as primary vehicles for such crimes.

The legislation requires that all “Commercial Businesses” that provide “Public Internet” access (whether wired or wireless) to protect via a firewall access to all private information that the business collects and stores, and that the business must file a Notice of Compliance with the County indicating it has secured its network. In instances where such Public Internet services are provided, the County is requiring a disclaimer be displayed that says:

bq. YOU ARE ACCESSING A NETWORK WHICH HAS BEEN SECURED WITH FIREWALL PROTECTION. SINCE SUCH PROTECTION DOES NOT GUARANTEE THE SECURITY OF YOUR PERSONAL INFORMATION, USE YOUR OWN DISCRETION

Further, the legislation requires any “Commercial Business” that stores or uses personal information must install a firewall to protect that information even if they don’t provide Public Internet service. If a business fails to comply with the legislation, there are warnings and then fines that will be levied.

The County will also be putting into place a public education effort to inform its residents and network providers about network and personal information security.

It seems that such Community Network efforts, as well as home and home business networks, are not covered by the legislation. In fact, Mr. Newman indicated that such networks wouldn’t be affected since there is no “goods or services for sale for profit” associated with those networks.

There are, however, a couple of things to be concerned about with this legislation:

* Wireless internet, while given a first class position in this legislation (I appreciate the attention), is of minor significance when considering _how_ identity theft currently happens in this country. The vast majority of identity theft happens through other means, including equipment theft and even over the phone.
* Most identity theft happens via centralized datacenters, outside of the local jurisdiction of the county government. This proposed law does _nothing_ to protect residents from any potential identity theft issues that are outside of the County lines. The vast majority of incidents will happen in other locations, but will affect local residents. While its important to ensure that _everyone_ who collects personal and financial information protects this data, merely securing wireless networks from hacking a single type of hacking isn’t going to do much, and will provide a false sense of security. If you process credit cards, then you have lots of credit card receipts with signatures on them.
* Wireless hacking is a lot more difficult than these legislators think. Yes, I too can drive around a downtown area and see dozens or hundreds of open access points. But sniffing a wireless network and extracting private data from computer systems is a lot harder than that. There is an example mentioned in the legislation justification about how the CIO of Westchester County found an open network and logged into a private server (they informed the owner of the network and server of what they found), we shouldn’t be creating legislation based on a single incident, or even a small number of incidents.
* While the goal of the proposed legislation is protecting local residents from Identity Theft, the legislation doesn’t really seem to address this issue. Firewalls are only a partial security feature of any well run and protected network, and there are plenty of other ways for such private information to fall into the wrong hands. In fact, the vast majority of large scale Identity Theft cases result from either an insider stealing the data, or the computer device containing the data being stolen. The legislation doesn’t help in either of these cases, and threatens to make matters worse since it will surely give businesses the excuse that they are “secure” when they follow the County’s legislation, even though they are leaving themselves open for attack on a number of other fronts
* Identity Theft cases cause thousands of dollars (or more) in damages to the people involved. Fining a business only a few hundred dollars to prevent such cases from happening is hardly a deterrent.
* There is a public registration requirement that essentially forces all businesses to register their network security compliance with the County. This amounts to asking all businesses to submit themselves to be monitored by the local government in a way that they have never have been monitored in the past. This seems to be quite an onerous requirement for the vast majority of small and medium businesses, especially since the proposed law casts an unreasonably wide net when determining what businesses are affected.

If such types of legislation are in our future it seems clear that we need far more thought about how to specify some base level of compliance. Requiring businesses to only keep personal information for a limited amount of time, requiring they securely destroy this information, and preventing them from blanket collection of any personal information is a far better way to start protecting personal information: *If you don’t collect it or don’t have it, then someone can’t seal it from you*.

Furthermore, network security is a complicated topic, and we certainly need far better security than just firewalls to protect personal information. I’m not sure of how to specify security requirements, but if necessary, perhaps organizations that keep personal and private data for more than a week or so should have to be audited by a network security professional.

And of course, if any organization is gathering or keeping personal information, public disclosure of this fact, including details about how such inforation is used and how long it will be stored.

Such policies as those I recommend would certainly be _more_ secure than merely firewalling your Wi-Fi networks.

[1]http://westchester.com/Westchester_News/Westchester_Government_and_Politics/New_Law_Proposal_To_Counter_Risks_Of_Wireless_Networks_200511045923.html
[2]http://networks.silicon.com/mobile/0,39024665,39153963,00.htm
[3]http://www.westchestergov.com/currentnews/2005pr/Wireless%20law.htm

Filed under: Community Wireless, News, Policy

I’m a little late on this news item, but “Om Malik confirms”:1 what I have talked about in the past “about Verizon removing copper lines when installing FiOS lines”:2.

It seems there’s confirmation that Verizon is removing copper lines when installing fiber. This is a doubly bad thing for us consumers: It removes any competitors from providing service over Verizon’s cables, since DSL is no longer available if phone lines aren’t available, and it prevents the customer from switching back to DSL from fiber, thereby locking in the customer to using Verizon service. This is highly anti-competitive behavior, and should be stopped by the FCC and local governments.

Part of what makes this so apalling is that in many cases the copper lines that Verizon is ripping out have been subsidized and essentially paid for by our tax dollars, in the form of enormous subsidies and tax breaks. Over the past 20 years, Verizon and SBC have promised to install high speed fiber lines across much of America in return for money subsidies and tax credits. In almost all cases, these telcos have failed to deliver on their promises (they lied to us) but keep the money. Now they are removing all of the wiring that *we* paid to install!

[1]http://gigaom.com/2005/10/14/verizon-fios-insures-future-monoply/
[2]http://www.wirelesscommunity.info/2005/07/11/times-ledger-interview-on-verizon-fiber-fios-and-competition/

Filed under: Community Wireless, News, Policy

In a “recent BusinessWeek article”:1, SBC CEO Edward Whitacre made some very provocative statements with regards to allowing the Googles and Vonages of the world to provide services over the Internet to subscribers of the SBC broadband network:

bq. “How do you think they’re going to get to customers? Through a broadband pipe. Cable companies have them. We have them. Now what they would like to do is use my pipes free, but I ain’t going to let them do that because we have spent this capital and we have to have a return on it. So there’s going to have to be some mechanism for these people who use these pipes to pay for the portion they’re using. Why should they be allowed to use my pipes?

bq. “The internet can’t be free in that sense, because we and the cable companies have made an investment and for a Google or Yahoo! or Vonage or anybody to expect to use these pipes [for] free is nuts!”

This is the first signal that the ever larger telecom and cable companies want to carve up the Internet in order to become fee-charging gatekeepers, blocking out competition for services by controlling who can access their broadband subscribers. While SBC is not a major provider of broadband services in New York City, similar ideas and actions may well be being discussed in the corridors of Verizon, Time Warner Cable, and Cablevision.

As customers of ISPs, we are already paying for our service and our open access to online content and services. It is unreasonable and unthinkable to think that the websites and online services we use will be charged by our ISP in order to provide us with a service.

Given the brash statements made by SBC, we must ask the large ISPs to make public statements ensuring they will continue to run an open network in which customers can access any and all legal content and services provided by any and all individuals, organizations, and companies online.

*Update* – *More Articles:*

“eWeek”:2 – Nov. 3, 2005

[1]http://www.businessweek.com/@@n34h*IUQu7KtOwgA/magazine/content/05_45/b3958092.htm
[2]http://www.eweek.com/article2/0,1895,1881338,00.asp

Filed under: Community Wireless, News, Policy

As a follow on to my previous post about “why Google (and any other online company) should want more Community and muniwireless”:1, last week the High Tech DTV Coalition “wrote a letter to the Congress”:2, proposing that “universal broadband” could add $500 billion annually to the country’s GDP.

*More internet users means more online commerce.* This can only be good for our economy and our country.

[1]http://www.wirelesscommunity.info/2005/10/02/google-proposes-free-muni-wireless-network-for-san-francisco
[2]http://www.dtvcoalition.com/media/misc/CEOhouse.pdf

Filed under: Community Wireless, News, Policy

The FCC “recently approved the mergers of SBC Communications Inc. + AT&T Corp. and Verizon Communications Inc. + MCI Inc”:1. These mergers mean that now, the two largest telcos will own not just the last mile pipes (the copper from your home to the telco’s central office), but significant chunks of Internet backbone as well. This will probably be a very bad thing for most, if not all, consumers and businesses in this country. But I think the best summation is from “FCC Commissioner Michael Copps”:2, who wrote in his opinion:

bq. “If you seek the reason why we haven’t arrived at that happy valley of competition rife with consumer benefits, you can start with the misdirected policies of the FCC over the last several years. On too many fronts, the Commission put the spear to the pro-competitive policies of the Telecommunications Act of 1996. It put intra-modal competition for the residential market pretty much beyond reach for new entrant carriers and then proceeded to inhibit enterprise competition, too. We turned our eyes away when enforcement was needed to keep bottleneck facilities open. And all the while we kept singing confidently “Don’t Worry, Be Happy” — inter-modal competition is going to save us with all its new options. Maybe, but then again maybe not — we’re still waiting. I think we ought to be concerned. Thanks in part to our actions, the wireline market became increasingly the province of the few. More than half of the wireless market came under the control of incumbent wireline providers. New services like VoIP have been held back by the high cost of broadband in this country. And now the Internet backbone seems headed in the same direction of control by a favored few.”

The question now is: *What are we going to do to ensure that these super-telcos serve the public good?*

[1]http://www.usatoday.com/printedition/money/20051101/2b_telecoms01.art.htm
[2]http://www.fcc.gov/commissioners/copps/

Filed under: Community Wireless, News, Policy