The controversy over Wi-Fi blocking was mired in misunderstanding, according to Arne Sorenson (pictured) , Marriott's president and CEO.
"Marriott Wants to Block Your Wi-Fi!" screamed January's headlines, and those headlines were everywhere. What happened? The Marriott-operated Gaylord Opryland Resort & Convention Center in Nashville had blocked some conference-goers from setting up personal Wi-Fi hot spots in a meeting area, and the Federal Communications Commission took a hard-line stance against such practices. The FCC fined Marriott $600,000, and the lodging company was cast as the bad guy in a public lashing over Internet-access restrictions.
Well before the FCC levied the fine, Marriott, along with the American Hotel & Lodging Association, had filed a petition with the commission that sought clarification on what wireless network operators were permitted to do in the name of network security. However, pummeled by bad press and outraged customers who saw the request as a assault on Wi-Fi freedom, Marriott withdrew the FCC petition.
"Many thought our actions smacked of greed, that we were looking for a way to force customers to buy access to Wi-Fi in our hotels," wrote Marriott president and CEO Arne Sorenson in a Jan. 30 blog post. "Denying this and pointing out that individual guests [who are Marriott Rewards members] could easily get free Wi-Fi didn't help much. Nobody really had time to get into the details. Mostly our statements just led to more negative coverage and reaction."
While the hotelier opted to back out of the debate, there's still confusion about the relationship between Wi-Fi freedom and network security. The complex topic will remain a hot button for meetings -- at least until regulatory guidelines are fine-tuned.
Review of the Facts
The Wi-Fi flap was difficult to sum up in tidy sound bites, which led to much misunderstanding. Many of the headlines proved inaccurate. M&C took a closer look by reviewing documents and speaking to technology experts, as well as Marriott, to dispel some of the myths. Among our conclusions:
• Marriott was not attempting to block Wi-Fi access in guest rooms or lobbies. The issue here was about the Wi-Fi in meeting spaces and the equipment used to monitor and potentially block personal hot spots in the vicinity.
• Marriott wasn't using illegal signal-jamming equipment. However, in an FCC Enforcement Advisory issued on Jan. 27, a few days before Marriott withdrew its petition, the FCC referred to the case and then, in the next section of its advisory, stated, "Federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with Wi-Fi, cellular or public safety communications," implying that Marriott could have been trying to do just that.
In fact, Marriott was using FCC-approved network-monitoring technology from Aruba Networks; similar equipment is made by Cisco Systems and others. These systems are widely used, not just in the hospitality sector but also in corporations, hospitals, universities, the military and elsewhere. Signal jammers, on the other hand, are illegal and cannot be purchased from your average retailer. But the FCC's advisory calls into question the legality of the blocking functions available in the FCC-approved devices. Neither Aruba nor the FCC responded to M&C's requests for comment. (Cisco issued a statement, which we'll address shortly.)
• Marriott's petition wasn't a protest of the fine. "We filed the petition [in August 2014]...well before the fine was brought down," notes Harvey Kellman, Marriott vice president and assistant legal counsel, information resources and eBusiness. "We filed the petition out of a genuine desire for the FCC to clarify its ambiguous rules, and to have other industries and stakeholders weigh into the debate concerning what steps a network administrator can lawfully take to protect the integrity and security of its network and Wi-Fi environment."
• There is not widespread use of the wireless network monitoring equipment in Marriott's portfolio. According to Kellman, 26 of Marriott's more than 3,000 hotels in the U.S. are equipped with the technology, and all of those are large, conference-oriented properties. Of the 26, only five hotels are actually using it, says Kellman, and in the past 90 days there were no instances of anyone being blocked. The platform serves primarily to monitor the Wi-Fi network and offers the option to contain "rogue" or unauthorized hot spots that could be deemed security threats.
Not So Hot Spots
When you select the Wi-Fi menu item on your computer or mobile device, you'll see a list of networks you have the option of joining. Each of those is a hot spot. If you connect to an open hot spot with which you aren't familiar, you could be opening up your device to risks from whomever set up that network -- unencrypted data may be stolen, malware could be installed on your computer, etc. Of particular temptation to hackers are places frequented by business travelers. Hot spots that attempt to spoof legitimate networks may use names like "Official Hotel Wi-Fi" or "Conference Wi-Fi." Network administrators who are monitoring the venue can spot attempts such as this, and with the right equipment and permission to use it, can shut down those hot spots. Defining security threats, however, isn't always so cut-and-dried.
In the Name of… Security?
What the Gaylord Opryland was accused of -- and what Marriott did admit was happening -- was disallowing some meeting attendees to connect to the Internet via their own personal Wi-Fi hot spots. In other words, those attendees set up hot spots using the data connections from their smartphones or portable routing devices, and attempted to share the connection with others.
When Marriott indicated that personal hot spots could potentially be blocked due to security concerns (see sidebar "Not So Hot Spots"), it caused an uproar, including from some in the meeting and technology industries (see our readers calling that claim "BS" in the comments at bit.ly/1MviAZ4). Why? Blocking someone's personal hot spot essentially forces anyone trying to connect to that hot spot to instead pay to use the venue's Wi-Fi network. And that, as many of us have found out, can be very expensive at a conference or trade show, particularly for exhibitors.
Paying anything at all for Wi-Fi access is a touchy point among planners; based on this month's M&C research, 80 percent believe Wi-Fi access in meeting space should be free. According to the FCC, at the time of the complaints at Gaylord Opryland, access was as high as $250 to $1,000 per device. (Gaylord notes that the cost varies according to exhibitor/conference bandwidth and other requirements. "We typically customize the offering based on customer needs," says Gaylord's regional director of information technology, Kevin D. Reiners.)
Technically Speaking
Explaining that a Wi-Fi monitoring system is simply part of a security infrastructure can sound awfully suspect when there is so much potential revenue at stake. If indeed a hotel's policy was to systematically block any personal Wi-Fi hot spots, the security excuse would be flimsy, according to experts.
"It's bunk," asserts Jordan Schwartz, CEO of event-networking platform Pathable in Seattle. "Let's just say it's incredibly convenient that [Gaylord's] actions, nominally in the name of security, should net them anywhere from $250 to $1,000 per device," he says.
Schwartz points out that a) it should be obvious to a network administrator, based on the network name, whether a rogue hot spot is attempting to spoof a legitimate venue hot spot to lure attendees for nefarious purposes, and b) forcing everyone onto the same Wi-Fi network doesn't necessarily improve security. "It's forcing one form of insecurity in the place of another," he explains. "Yes, the network is password-protected, but everyone with the password has access to the traffic over it. So if you're sending unencrypted traffic, you're exposed." Such blocking, in other words, would speak to some security threats but potentially lessen security for attendees who have to join the venue Wi-Fi network against their desires.
Cyber-security expert Scott Schober agrees that it's difficult to overlook the financial aspect of the case. "It would be different if they didn't profit from it," says Schober, president and CEO of Metuchen, N.J.-based Berkeley Varitronics Systems, "and instead said they were just securing the network for guests and attendees. But the fact that it's easy to show there's a lot of revenue involved is a little bit incriminating."
Not Company Policy
Clearly, Marriott faced an uphill battle in convincing skeptics that financial gain didn't factor at all into the Gaylord blocking incidents. Were it indeed a property policy to block such connections across the board, the practice would be tough to legitimately defend. But there wasn't evidence that the Gaylord Opryland was blocking all personal Wi-Fi hot spots, much less that Marriott was as a company -- only that some people had been blocked.
Marriott didn't protest the fine; rather, the hotel company paid it after conducting an internal investigation. (Marriott had only assumed control of Gaylord Opryland operations a few months before the complaints were filed.) According to Marriott, the hotel was not blocking all personal hot spots but had blocked hot spots both to address cyber-security threats and to improve network performance when certain Wi-Fi hot spots were causing interference. Although there was some ambiguity, the FCC had indicated that blocking to reduce interference was a no-no. At that point, Marriott paid the fine and ceased blocking for reasons of interference, according to Kellman.
A Call to Action For Hotels
The Marriott case underscores the need for lodging companies to be more aware of individual property practices, whether they are new operators of the property or not.
"After this investigation happened, we started inventorying what equipment we have where," says Harvey Kellman, Marriott's vice president and assistant legal counsel for information resources and eBusiness. "These are property-based technologies, so we don't have the oversight that we have with respect to property management systems or other things that are controlled at the corporate level." Nor did a policy exist regarding use of the equipment.
"We had to educate ourselves," admits Kellman. "What are the rules that we should put in place?" When the investigation began, says Kellman, Marriott decided to block hot spots only "in the face of legitimate, clearly defined security threats." Now, since the FCC released its advisory, Marriott hotels are not blocking at all.
The American Hotel & Lodging Association and its newly formed Cybersecurity Task Force aim to educate and define wireless-security best practices. Both Marriott and Hilton are confirmed members of the task force; the group intends to collaborate with partners from technology and telecommunications companies, as well as with the FCC and other government entities, according to AH&LA spokesperson Rosanna Maietta. She says they hope to develop best practices over the next two to three months.
The Real Security Threat?
Whatever actually occurred at the Opryland property, here's why we'll be hearing about this from hoteliers and others again: In its Jan. 27 enforcement advisory, the FCC took a particularly tough stance on the practice of blocking any unauthorized hot spots.
"No hotel, convention center or other commercial establishment, or the network operator providing services at such establishments, may intentionally block or disrupt personal Wi-Fi hot spots on such premises," reads the advisory, "including as part of an effort to force consumers to purchase access to the property owner's Wi-Fi network. Such action is illegal."
Whether or not revenue gain was a factor, the larger question is, should wireless network operators never be allowed to block rogue hot spots? Using these monitoring systems to block potential threats has clear precedent. As Marriott and the AH&LA point out in their petition-withdrawal letter to the FCC, the Department of Homeland Security recommends using such platforms as a best practice -- not just in cases of national security but also in the private sector. Use of these systems -- and the ability to contain rogue hot spots -- is part of the PCI Compliance security standards, in fact, for every company that accepts credit card transactions over wireless networks.
While Scott Schober is skeptical that blocking at the Gaylord (or at any other hotel in the U.S., for that matter) wasn't motivated at least in some cases by reasons of revenue, he agrees wholeheartedly with Marriott's point that the ambiguity in these laws must be addressed.
Scott Schober, CEO,
Berkeley Varitronics Systems "There was some confusion about what was happening," says Schober, who the FCC consulted during the early phases of its investigation. "I do think that the onus should really be on the FCC to have a clearer ruling about what is acceptable and what's not. There's a lot of ambiguity. To me, if it's not something that should be allowed to be used, or is not legal, then why would the manufacturers be allowed to put that in as a feature?"
That's precisely one of the questions Marriott posed to the FCC in the petition that has since been rescinded. One manufacturer of such equipment, Cisco, issued a public statement with its own interpretation of the ruling. "Cisco believes that the FCC intended the prohibition to apply to organizations that operate networks in places where the public is routinely present or invited, and not to corporate networks used by employees or to corporate guest networks." Cisco goes on to recommend that customers consult with legal counsel before deploying the feature.
Hotelier Hands Tied
The problem now, as Kellman sees it, is that the FCC's wording eliminates a hotel's ability to block legitimate threats on the network, including something so obvious as a rogue hot spot that purports to be an official hot spot of the venue. This will affect what hotels can offer planners, says Kellman.
"We get requests by conference planners who are planning events for law enforcement, defense-related conferences or government contractors that the hotel effectively clear the airspace," says Kellman. "They don't want unidentified Wi-Fi hot spots operating in that area, and for good reason. I don't know what we say the next time that request comes in. I think the answer is 'no, we can't,' even though the request is coming in the spirit of a legitimate security concern. But now we can't lawfully guarantee that we clear the airspace -- nor, at this point, can any hotel. It would have been great to have that discussion [with the FCC] in the context of this proceeding."