EU – Yes to free WiFi, No to free anonymous surfing

By | January 17, 2017

Because there are a lot of misleading articles recently, I think this is an important clarification: the recent CJEU decision doesn't say that shopkeepers have to take responsibility for the actions of users on free WiFi networks. On the contrary, it says that shopkeepers are protected from being liable for actions carried out by users, no ifs and buts.

However, it does say that users shouldn't necessarily have a free pass to do whatever they want, either – shopkeepers can provide free WiFi, but may receive an injunction to give provide free WiFi in exchange for identification information (presumably so that infringing users may be traced down and held liable for their actions).

Let's just hope that the day never comes when we need to post something political anonymously on the internet…

CJEU: Free WiFi networks can be ordered to be password protected | Lexology
In McFadden v Sony, the CJEU has ruled that the mere conduit defence applies to the operator of a free WiFi network, but that it could be ordered…

11 thoughts on “EU – Yes to free WiFi, No to free anonymous surfing

  1. Per Siden

    The whole idea of eavesdropping on users, be it in a café or in their homes is flawed. Always use a VPN, but especially on free and open WiFi networks!

  2. Randy Resnick

    Absolutely, MAC address is just an artificial way to identify hardware and can be easily spoofed. I was suggesting that the gateway could be modified to grab a lot more, the point is that usually you do pass through a page or portal. That step can be very invasive if they want it to be.

  3. Jürgen Christoffel

    +Randy Resnick captive gateways (or portals) usually work by triggering on the MAC address of a device. But MAC addresses can be changed and taken over, so someone could be "you" as soon as you leave, or even before that.

  4. André Esteves

    That's what facebook, google and company have been trying to do from the beginning: offering a social network they implement an identity system. But identity is a fleeting thing. Unless you go full china and there you know where it is going…

  5. Randy Resnick

    Further, at airports with free wifi and here in the city, you have to give an email that is validated (how you're supposed to get the email to click on is mysterious). Anyway, there are many ways tricks can be used on either side. Lets not forget in passing, the thieves who take selfies and post them on facebook, etc. The system will never be perfect and will probably profile you and me, more than anyone doing something illegal!

  6. Randy Resnick

    No, that would be required and somehow enforced by rule. Most public wifi already has them. A small tweak would allow it to talk to the "mother ship of the fatherland" and deposit your MAC, browser profile, etc. Sure the user could be very careful about these things, as well as carrying fake ID.

  7. Sophie Wrobel

    +Randy Resnick only problem there: I doubt your average small business owner understands how to set up and log a captive gateway. Captive gateways requesting user identification aren't quite standard yet! Which means, the net result of the additional requirement might be that small business owners take their free WLAN offering offline. Perhaps this would be a court consideration as well…

  8. Sophie Wrobel

    +Jürgen Christoffel
    a) is (at least from a legal perspective) relatively simple – you don't need to prove your legal identity to sign a contract (e.g. a contract to agree to use the internet for legitimate purposes and get the password). If you provide a false identity, it's a case of fraud, which means you're on the hook twice for illegal activity, but still protects the shopkeeper.
    b) is more of a challenge. Courts aren't known to be well-versed with technology. I doubt that a password and IP logs alone will be sufficient here to find the perpetrator, especially if we are talking about a publicly accessible small shop that most likely has a small-scale router with dynamic IP addressing running in a corner. Assuming the user provided truthful identification details, session tracking might work, and hardware tracking would be even more reliable, but we're already beyond the domain of knowledge that an average small business owner can be reasonably expected to have and apply on configuring a router. I suspect this is the reason why the CJEU didn't issue an injunction, instead responding that 'requesting a password' – which I will loosely interpret as any technical measure to force a business owner to request identification from customers using their free WLAN service, which may or may not involve an actual password – may be a possible response measure, as deemed appropriate by the presiding court.

  9. Jürgen Christoffel

    Nice theory. But in practice, some "interesting" issues remain: a) in Germany for example you are not required to carry your Personalausweis with you. So how is the "identification" supposed to work in practice? b) Even after receiving a password (actually "the" same password for all I'd expect), it's technically difficult to track traffic to a certain user. You would have to require them to register their hardware first somehow.


Leave a Reply

Your email address will not be published.