First published December 2014, updated November 2019.
So, you’ve got a guest wireless network, or maybe you’ve been considering rolling out one out for the first time. You’ve done the research, and you’re feeling pretty confident about your hardware choices, network management strategy and planned security measures. All the boxes are checked, and you’ve covered all your bases. Or have you?
Legal compliance is an area of consideration seldom given a second thought when implementing a guest wireless network solution, and it’s not surprising why, considering how vague policies can be, and just how little people know about the laws pertaining to offering or owning a wireless network. And in this instance, ignorance certainly isn’t bliss, as being caught unawares in an infringement could cost you in steep penalties or make you liable for obstructing the course of justice.
An understanding of the legal acts relating to offering guest wireless access is the key to avoiding all of these issues.
Key Factors to Consider
1. Your Liabilities
You may be liable if someone using your WiFi does something illegal. Unless you have taken all reasonable precautions, you may be liable for damage caused by hacking or malware attacks to your customers’ equipment. Be sure to state clearly in all terms and conditions or a clear message on the log in screen, that where the service allows access to the Internet, the user understands and agrees that the use of the Internet is at the user's own risk.
2. Your Statutory Legal Obligations
The European directive has been implemented in the UK under the Data Retention (EC Directive) Regulations 2009 and the January 2004 Code of Practice (for voluntary retention of communications data) implemented under the Anti-Terrorism, Crime and Security Act 2001. Under the above directive, certain types of data are required to be retained to identify the users accessing the Internet. The type of data to be retained is traffic data and location data, enabling the network owner to trace the source of a communication.
- European General Data Protection Regulation (GDPR)
GDPR came into force in May 2018. This attempts to regularise many of the previous regulations and to increase data controllers' responsibility to look after, protect and use data subject's data accordingly. In respect of guest internet access, your obligations will include being clear to your users about what data you will collect, what its used for, how long its kept for, keeping it securely, notifying of breaches, allowing for corrections and providing user's own data recorded on demand.
Data Protection Act 2018
The Data Protection Act 2018 runs in conjunction with the European Union’s General Data Protection Regulation (GDPR) and is an update of The Data Protection Act 1998 which states that any user of Internet access services in a public/professional establishment is entitled to request at any time details of his/her personal information.
The 2018 Act introduces new offences that include knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller, procuring such disclosure, or retaining the data obtained without consent. Selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed would also be an offence. Failure securely to maintain and make available data to a data subject may lead to the imposition of fines by the Information Commissioner. It’s also worth noting that unless a customer seeks explicit positive affirmation from the user (tick box or via T&Cs), this data cannot be used for marketing purposes and can only be disclosed to a very select list of approved authorities, primarily law enforcement agencies and government bodies.
Copyright Infringement and Online Activity
The Digital Economy Act 2010 was designed to implement steps to reduce online copyright infringement by end users. The act covers illegal downloading of copyrighted material and illegal file sharing. The act came into law in June 2010 and prescribes obligations to keep end user records to assist copyright owners in identifying and taking action.
Law Enforcement Requests
Under the Investigatory Powers Act 2016, intelligence and law enforcement agencies such as the police can direct that communications data be provided for the purposes of investigating a crime. It ensures law enforcement powers are fit for the digital age. It makes provision for the retention of internet connection records for law enforcement to identify the communications service to which a device has connected. This will restore capabilities that have been lost as a result of changes in the way people communicate. It is therefore very important that any communications data that the police or other law enforcement agency may require is stored and capable of being accessed upon a valid court order for the data.
So, What Next?
To ensure you’re keeping to your legal obligations, look at your guest network objectively. Ask yourself the following questions to determine areas of improvement.
- How am I storing communications data?
- Can stored data easily be retrieved if legally required?
- Is my network safeguarding against illegal downloads and copyright infringement?
Draw up a solid user policy that clearly states that illegal use of your network is in violation of your guest network policies. Block illegal sites that are commonly used for downloading or peer to peer sharing, and flag users attempting to download while on your network. Make sure you have easy access to communications data, and a secure storage solution. By aligning yourself with sound guest network management practices, you’ll be well on your way to offering a legal, secure guest wireless network.
This content of this blog is also available in the eBook, Rolling Out a Guest Wireless Network, which is a Project Vision original piece of work which you can download below.