Wireless access may soon require more of VARs

James Harris says every organisation offering free WiFi will soon have to record who is using it

We are starting to expect that WiFi access in just about any public location will be provided freely and openly. By and large that is the case, although in many hotels, on trains, and when you log on as a guest on a customer or supplier visit, you may be expected to provide log details.

Most of the time no one actually records who you are or where you are from. They never really know what you are accessing or downloading or with whom you are communicating across their connections.

That raises a lot of questions. With concerns about online security and how criminals and terrorists use the web to communicate, plan, and execute actions, one day soon it will make no sense to allow open access to just about anyone. In fact, it will probably become illegal as well as highly inadvisable.

There is already a piece of EU legislation called the Data Retention Directive (DRD) which requires communications providers to retain data that would enable the relevant authorities to trace and identify the source and destination of any communication, as well as when it was made, its duration and type for between six months and two years. It also requires that providers be able to identify the communication device and the location of mobile equipment.

Providers may be expected to make the data available to competent national authorities in specific cases "for the purpose of the investigation, detection and prosecution of serious crime". But while the directive has been broadly adopted in Germany and some other countries, the UK has so far decided that only comms providers with more than about 500,000 subscribers must comply.

This legislation has some flaws. It would be difficult to trace someone who accessed services though a public WiFi hotspot. There were quite a few of these around even in 2009 and there are certainly a lot more now. This will also prove a problem for the UK's Digital Economy Act (DEA), which became law some time ago but has not yet reached the enforcement stage.

With the UK's fibre rollout moving on apace to increase the availability of low-cost bandwidth, and more sophisticated WiFi technology on the horizon, it is only a matter of time before serious concerns are raised again.

The European Commission is planning a review of the DRD. It is likely to take a more comprehensive approach, and much more stringent rules will almost certainly be imposed.

Meanwhile, the UK government is moving ahead with its communications data bill, which could give the home secretary the power to force any business to store details of electronic communications of all kinds for up to a year.

Bills take time to become law but the whole process could easily accelerate if, say, some unimaginably disastrous breach of security or data theft were to occur and, due to the laxity of the current rules, the perpetrators could not be traced.

Sooner or later, making sure you can record all the details of users and authenticate them in some way will become requisite. Governments and security services will demand that they are able – for specific cases – to trace the individual and the device that was used for the connection through which the breach was made.

They may want to impose these rules very quickly indeed when the time comes.

It might be sensible for any organisation that offers WiFi access to guests or the public to record this information now. It will, after all, be your IP address that is traced if there is a security concern or someone is doing something suspicious or illegal through your hotspot.

It is not that difficult to do: you just have to provide some form of data logging system. This can be done today by combining a unified security gateway appliance, a hotspot billing gateway and NAS device to store all the information.

In Germany in particular, we have seen good levels of demand for this, down of course to the different levels of enforcement of the EU's original DRD and the higher level of awareness in Germany. But it makes sense to do it anyway, and it gives resellers the opportunity to add more value and save their customers from the risk of having their hotspots being used for unscrupulous communications.

James Harris is European market development manager in the digital home unit at ZyXel Communications