The Marriott WiFi Kerfuffle: A Deep Dive
Marriott International has been in the news a lot in the last few months, specifically in regards to whether or not it has the right to block personal Wi-Fi devices on its properties. Many think the matter has been resolved, with Marriott “caving in” to consumer backlash and criticism from the likes of Microsoft and Google. But this story is far from over if you go a little deeper, and isn’t nearly as cut and dry as some sensationalist headlines and Tweets may have led you to believe.
It's unfortunate that if you search for Marriott right now, the WiFi Kerfuffle is most likely the story you'll find. I've really enjoyed my stay at most Marriott branded and managed hotels, and I think a lot of their newer initiatives are quite savvy. But those stories have been overshadowed by this one.
This story hit most of our news feeds in October of 2014, when the US Federal Communications Commission fined Marriott $600,000 for violating the Communications Act of 1934 (yes, 1934). The FCC had received a complaint that the Gaylord Opryland was “jamming mobile hotspots so you can’t use them in the convention space.” They investigated and determined Marriott was in violation of section 333 of the Communications act, which prohibits interference with radio communications.
Marriott responded immediately, saying that they were using completely legal technology, and that it had “strong interest in ensuring that when our guests use our Wi-Fi service, they will be protected from rogue wireless hotspots that can cause degraded service, insidious cyber-attacks and identity theft.”
In August 2014, Marriott (along with the backing of the American Hospitality & Lodging Association) filed a petition stating that they should have the ability to manage their own networks in order to offer stable and reliable WiFi service, as well as mitigate security threats. They asked that personal hotspots be exempted from the protection provided by Section 333 of the Communications Act. Basically they said that they, as property owners and WiFi providers, had a right to defend their network and maintain a level of service for their guests. They further reiterated that they were not using radio frequency jamming hardware, merely using a perfectly legal network monitoring and management system.
Shortly thereafter, Microsoft and Google joined the fray, sending their own comments to the FCC in opposition of Marriott’s petition. The core of their arguments were that what Marriott was trying to block wasn’t actually on *their* network, and that they were willingly interfering with radio communications, making them in violation of Section 333. “Allowing hotels or other property owners deliberately to block third parties’ access to Wi-Fi signals would undermine the public interest benefits of unlicensed use,” Google wrote in it’s statement.
Marriott initially responded to these criticisms by “clarifying” that they only had intention of blocking personal hotspots in its convention areas, and not in guests’ rooms. As the weeks went on, though, and public pressure mounted, Marriott eventually announced that it would no longer block personal hotspots at all. “Marriott International listens to its customers, and we will not block guests from using their personal Wi-Fi devices at any of our managed hotels,” the company said in a statement.
So that’s it, right? Game over, and personal liberty has triumphed. U-S-A! U-S-A! Not quite.
As it is with so many things, not every part of this story is as simple as most of the headlines make it out to be. First of all, Marriott is absolutely correct when it says that the technology it was using is perfectly legal. The equipment is FCC-authorized, and it was not in any way using “jammers” that interfere with radio signals directly. It is not only illegal to use jammers, it’s even illegal to sell them in the United States. The network monitoring system Marriott was using offered the capability to “contain” a malicious WiFi hotspot found in the vicinity, and had the ability through some Internet trickery to effectively block the communication of any device with that hotspot.
The FCC agreed that while this was not technically interfering with the radio signals themselves, the net effect was the same- people were unable to use their personal hotspots once they were “contained” by the system. And that’s the other part of the problem- it appeared that the employees of the Gaylord Opryland were using the containment features of the system to prevent basically all of their guests from using their own WiFi devices, and not just malicious devices. I suspect that the FCC would not have come down so hard on Marriott had they only been containing obviously malicious hotspots, but instead were blocking any and all personal hotspots in the area- and then offering their own WiFi services at the sometimes exorbitant rates we all know and love.
So the system Marriott was using is technically legal. And what they were doing was not technically jamming. I think the problem arises from the execution, and extent, of the blocking, which appeared to be indiscriminate. As the FCC put it, “Wi-Fi is an essential on-ramp to the Internet… …The growing use of technologies that unlawfully block consumers from creating their own Wi-Fi networks via their personal hotspot devices unjustifiably prevents consumers from enjoying services they have paid for and stymies the convenience and innovation associated with Wi-Fi Internet access.” Gotta admit, they’ve got a point there.
But what about Marriott’s argument that it has a right to defend it’s network? The problem, as Microsoft and Google pointed out, is that the WiFi hotspots in question aren’t on their network. They’re all running on licensed and unlicensed spectrum outside of Marriott’s own WiFi network. In their August petition, Marriott offered in its defense that many colleges and other institutions used the same network monitoring system as theirs, and then offered three specific examples of large universities employing “various techniques to ensure network performance.” These included the fact that Duke University limits students’ bandwidth use on their WiFi networks to 5GB a day, and throttle those that violate the policy repeatedly. They also offered that Northwestern University protects its network from hazards and “defective computer” problems by disconnecting these systems forcibly from the network without notice.
Both are examples of containing a security risk or performance issue on the university’s own network, and make no mention of wireless hotspots. In fact, they double (and triple) down on this argument in the Appendix of the petition, offering excerpts from 24 college and universities’ IT and Network management techniques. None of which have anything to do with wireless hotspots.
Most of the remaining arguments in the petition continue to stress security issues and the weaponization of personal hotspots. They also had an entire second section dealing mainly with definitions of “interference” and how devices are classified by the FCC. It’s pretty jam packed with legalese, and it’s exciting stuff, let me tell you. Basically it sums up to, “and besides - we don’t think this stuff even applies to WiFi, but even if it did we still should have the right to block what we want to. And if it doesn’t, you should make an exception and let us. Nyeah.” What I do know is some suits got paid some good money to write up that section.
There is a problem with malicious rogue hotspots, but this is mentioned only in passing in the petition. People can name their WiFi hotspot “Marriott WiFi” and if unsuspecting convention goers attach themselves to such a hotspot they are in danger of having their traffic monitored, including credit card details, usernames, and passwords. Of course, they’re just as likely to have their traffic monitored on the unsecured WiFi networks that 99.99% of hotels offer, but that’s a different rant for another day.
Problem is, that could happen anywhere, including coffee shops, malls, restaurants, and in fact this has *always* been a problem since WiFi was invented. Anyone else remember the old “FREE WIFI” icons that would appear in the Windows XP task bar that were actually other computers trying to set up peer to peer networks for evil?
Marriott did make one more point that was barely mentioned in the petition, or in their subsequent statements in the PR battle to follow. Sadly, I think it’s their strongest argument, at least it could have been when it came to public opinion. WiFi pollution is real, and the more hotspots that are jammed into an area, the more the integrity of the signals is degraded due to natural interference. When Marriott offers high speed WiFi to their meeting and convention guests, usually for what some might call exorbitant rates, their guests are going to expect it to work properly. They do indeed have an obligation to provide certain levels of service to their guests, and they can’t offer that level of service if things are all jammed up with WiFi traffic.
Personally, I would have led with that argument. Immediately following the fine, their response could have been, “Look, we’re sorry. We probably shouldn’t have done that, but Marriott seeks to provide the highest quality in all of it’s services, and that includes our WiFi service. Our guests pay for a premium service, and we were attempting to provide that by reducing the interference generated by these types of devices. Obviously, we went too far.” From that point on they could have engaged in a dialog with their customers on the best way to achieve reduced WiFi interference at trade shows and large conferences, rather than seeking rule changes, exemptions, or just issuing hard-headed “We didn’t do anything illegal” statements.
There was another possible course as well - they also could have just quietly paid the $600,000 fine, which is couch cushion money for a company that had over $600 Million in net income in 2013 and was expected to have $1.6 Billion in 2014 fee revenue alone. Instead of bringing attention to the issue (AKA the Streisand Effect), this little legal problem might have slipped away gently into that good night. I get it though, it’s the principle of the thing. They wanted to control the situation on their own property and didn’t like being told they couldn’t. And finally, once they had Microsoft, Google, the WiFi Trade Association, and almost every blogger and Tweeter on the planet telling them to give it up, they did.
Marriott bows to complaints, won't seek OK to block customers' Wi-Fi
Marriott will not block guest hotspots
Hotel giant Marriott caves in, promises not to block wi-fi
Marriott: You win, we won't block Wi-Fi
And there was much rejoicing.
Why it isn’t over:
Most people only read the headlines, and the headlines say it’s over. I read the full statement- and it made me sad. Here it is in it’s entirety:
There it is. Remarkably short. Still “all in” on the security angle, and now not even a passing mention of wireless congestion, level of service, or commitment to quality - indeed no mention of the only legitimate argument they have. Two things concern me the most: first, the complete lack of an apology. I’ve yet to see anywhere in writing the company actually admitting that they might have gone over some line. If it’s out there, it’s not being reported, so please point me to it if it exits. Secondly, I’m worried about the last sentence, where they “continue to look to the FCC to clarify” and seek “to find appropriate market solutions”. This tells me they still, under the guise of network security, want to find a legal way to block personal wifi hotspots.
Sadly, I know the answer to that quest. The answer lies in contract law. Agree or disagree, they have a right to control what happens under their roofs when there’s a contract involved. All they have to do is add a clause to all their large scale meetings and events contracts that prohibits the use of personal WiFi hotspots and grants them the right to block them if they see them. This will quietly start to get slipped in to their event contracts, claiming concerns for network security (and if we’re lucky, quality). And fear not, the rest of the industry will follow, just like airlines and baggage fees. The savvy event planners will negotiate this point, as they do with rigging, in-house AV requirements, obscene WiFi rates, and other line items. The vast majority, however, will simply go along with it.
And of course the ultimate irony is that the rogue malicious hotspot provider won’t have signed that contract, making it illegal for the hotel to block them.
Before the digital ink was dry on this article, we received the next chapter in the story. Have a look at the FCC's response to the Marriott petition:
And just to keep things rolling, shortly after Marriott released their statement, the American Hotel & Lodging Association withdrew the petition from the FCC. The statement can be found here:
Unfortunately they, too, seem Hell-bent on emphasizing the network security aspects of the petition, rather than Quality of Service arguments. I have requested more information regarding their "Cybersecurity Taskforce."
It's been pointed out to me that even with putting it in the contract, venues wouldn't likely be allowed to use WiFi disrupting technology. This seems likely to be the case given the sternly worded response from the FCC issued in the 1/28/15 update listed above. I've been noodling on this, though, and although it would be more difficult to enforce, I still think we could see this start to make it's way into meeting and event contracts. Though the venue won't have the ability to "block" personal hotspots, they could make a "No personal WiFi Hotspot" clause part of their agreements, and attach a financial penalty if their use is discovered, say, on a trade show floor.
A less overtly greedy method, though, would be to not include this clause as part of the main contract, but rather include it as part of the contract that includes WiFI service being provided by the venue. Then the venue has a vested interest in providing a certain quality level, which can of course be disrupted by too many WiFi signals. It basically says to the event manager, "OK, we'll provide you WiFi service for your event, but in order to do so effectively, you need to ban the use of personal WiFi hotspots by your attendees. In the event your service is being disrupted by WiFI pollution due to too many wireless hotspots, we are not responsible, and you still have to pay us- even though your service sucked." Or something like that.