Wifi Standards need to address privacy and security

As part of ARTICLE 19’s continuing efforts to highlight the relationships between human rights enjoyment and technical standards, we are engaging with technical standard setting organisations beyond the Internet Engineering Task Force (IETF). Specifically, we’re looking in depth at one of the world’s most widespread wireless communication technologies: the Institute of Electrical and Electronics Engineers  802.11 standard, commonly known as WiFi. Starting with the 802.11 Working Group meeting in Waikoloa, USA, in September 2017, we will be monitoring the standardisation activities for WiFi in the upcoming year.

Ethical challenges for wireless communications include privacy and security, and individuals’ abilities to communicate freely through channels with which they are comfortable. We have found  there to be procedural constraints to addressing these values in WiFi standards under development. These challenges call for greater public engagement and awareness.

Wireless communication technologies consist broadly of WiFi networks and cellular communication. Both of these components are more centralised than their wired counterparts; to send messages from one individual to another requires base stations which forward communications between individuals’ devices.

Wireless communication networks are still mainly provided through an infrastructure of base stations or access points to which for individuals (and their so-called client devices) connect. Examples of such infrastructures may be access points in a café, a railway station or a school, or mobile masts provided by cellular operators.

If a user’s communication has to pass through a central node, such as an access point or a base station, there are inherent risks to the enjoyment of human rights by individuals. On the one hand, it is easier for a government to demand interference with communications by individuals from a commercial entity that is positioned to interfere  in its users’ communications. On the other hand, the commercial entities may be incentivised by regulation to develop business models that rely on specific forms of interference with communications.

In both of these regards, ARTICLE 19 is continuing to engage for net neutrality and monitor how technical standards for wireless technologies lend themselves to ensuring that users can enjoy their freedom of speech and opinion without undue interference by their network provider or their government.

Technical standards also impact the privacy and security of users. Because WiFi standards apply to both client devices –  laptops, smartphones and any wireless devices– and base station devices used by providers to connect devices of citizens with one another – they impact the relationships between providers and users.

Currently under discussion in the IEEE 802.11 Working Group are the terms under which a network provider may geolocate its clients, and how clients may geolocate themselves (while hiding their position from the networks). A different ongoing discussion aims to ensure that clients can protect themselves against tracking through the use of unique network client identifiers, so-called MAC addresses, by creating a standardised way to randomise MAC addresses.

Tracking of wireless devices has been extensively researched  in recent years, with MAC randomisation widely regarded as an important but insufficient protection from tracking (see here). This tracking has also been the object of at least two data protection inquiries in the European Union. Technical advancements that push control over when or how such tracking is permitted back to individuals are a welcome development.

While privacy and security are increasing concerns of consumers and communities around the world, the 802.11 appears to have no inherent way of addressing these concerns. In developments we’ve been tracking since the working group’s first meeting: privacy and security could be left out of the standardisation effort as being outside of default concerns. Even more concerning, intra-institutional competition has caused the discussion of privacy and security to derail; also implying that neither security nor privacy are concerns of those participating in wifi standardisation efforts.

This ommission of privacy and security concerns is not unexpected. The IEEE Code of Ethics includes language on public welfare and non-discrimination of participating individuals, but there is no language mandating respect for human rights in general. The “5C test” that each new IEEE 802.11 standard working group needs to pass includes testing for commercial viability, uniqueness, feasibility and compatibility. Privacy, security or other human rights concerns could only be included by default in such tests if they were part of the commercial legislation codifying the terms under which radio equipment can be launched on a market. Some opportunities to provide commercial contextualisation are provided under new European data protection rules. But in the spirit of the larger IEEE Code of Ethics, heavy-handed regulation should not be necessary to include these concerns, but rather be seen as an inherent part of their mission to enhance public welfare.

If you are interested in the discussions of the IEEE 802.11 with respect to ongoing developments on MAC randomisation, we encourage you to look up the 802.11 TGaq task group. We are particularly interested in hearing the voices of public WiFi providers operating in countries with EU-style privacy laws.

See IEEE 802 Group and IEEE-SA websites for more information.