Click here for Adobe Acrobat version
Click here for Microsoft Word version
********************************************************
NOTICE
********************************************************
This document was converted from Microsoft Word.
Content from the original version of the document such as
headers, footers, footnotes, endnotes, graphics, and page numbers
will not show up in this text version.
All text attributes such as bold, italic, underlining, etc. from the
original document will not show up in this text version.
Features of the original document layout such as
columns, tables, line and letter spacing, pagination, and margins
will not be preserved in the text version.
If you need the complete document, download the
Microsoft Word or Adobe Acrobat version.
*****************************************************************
Before the
Federal Communications Commission
Washington, DC 20554
In the Matter of
M.C. Dean, Inc.
)
)
)
)
)
File No.: EB-SED-15-00018428
NAL/Acct. No.: 201632100003
FRN: 0011134921
NOTICE OF APPARENT LIABILITY FOR FORFEITURE
Adopted: October 28, 2015 Released: November 2, 2015
By the Commission: Commissioners Pai and O'Rielly dissenting and issuing separate statements.
introduction
We propose a penalty of $718,000 against M.C. Dean, Inc. (M.C. Dean) for apparently interfering with and disabling the operation of consumers' Wi-Fi devices at the Baltimore Convention Center (BCC). The Internet is a vital platform for economic growth, innovation, competition, and free expression. Wi-Fi is an essential access ramp to that platform. Wi-Fi networks have proliferated in places accessible to the public and consumers are increasingly establishing their own Wi-Fi networks by using mobile hotspots and their wireless data plans to connect Wi-Fi-enabled devices to the Internet. In this action, we address the practice of Wi-Fi blocking, which occurs when a Wi-Fi equipment operator intentionally disrupts the lawful operation of neighboring Wi-Fi networks. Wi-Fi blocking threatens to stymie wireless innovation and the availability of Wi-Fi as an important Internet access technology. Our action today advances the Commission's longstanding goal of ensuring that all authorized communications - including Wi-Fi transmissions - occur free of malicious disruptions.
Specifically, we find that M.C. Dean apparently repeatedly violated Section 333 of the Communications Act of 1934, as amended (Act) by maliciously interfering with the operation of Wi-Fi networks at the BCC. Based on the evidence, we find that M.C. Dean blocked Wi-Fi devices on at least 26 days from November 2, 2014 to December 13, 2014 at the BCC.
background
Wi-Fi Generally
Wi-Fi is a technology that enables the wireless connection of low-power electronic devices. Based on the 802.11 family of standards established by the Institute of Electrical and Electronics Engineers (IEEE), Wi-Fi networks enable devices such as laptop computers, tablets, video game consoles, and smartphones to connect to the Internet and to each other through wireless network access points (APs). According to the Wi-Fi Alliance, more than 22,000 different Wi-Fi products have been certified since its inception in 1999, about two billion Wi-Fi capable devices were sold in 2013 alone, and by 2020, that number is expected to reach four billion annually. Wi-Fi is particularly critical to the wireless broadband ecosystem, as developers, vendors, and manufacturers use Wi-Fi to link new types of products, systems, and devices that make our lives more efficient and comfortable. Though there are other wireless access technologies, such as Bluetooth, much of the developing "Internet of Things" depends on Wi-Fi connectivity.
The most commonly-recognized wireless network access point is the Wi-Fi router that many consumers have in their homes, but a number of mobile devices can also serve as a wireless access point - or "hotspot" - that connects to the Internet through the mobile data network to which the consumer has subscribed. Many mobile hotspots are stand-alone transmitting devices, typically the size of a deck of playing cards, and many smartphones sold today come with built-in Wi-Fi hotspot capabilities. Consumers can use Wi-Fi-enabled devices, such as laptop computers or tablets, to wirelessly connect to these mobile hotspots and thereby access the Internet. In addition to personal hotspots, consumers may also access the Internet in a variety of businesses and public spaces through hotspots available for free or for a commercial fee.
Wi-Fi communications follow a common protocol in establishing a connection, known as an "association" in Wi-Fi terminology, between an end-user client device (client) and an access point. This process occurs in three primary steps: the client first probes, then authenticates, and finally associates with the access point. Specifically, a "probe request" allows a client to determine what access points are available and to select the best one to use. An "authentication request" allows the client to establish its identity with the access point. Finally, an "association request" allows the authenticated client to transmit and receive data from the access point and connect to the network. When a client wishes to terminate the connection with an access point, or vice versa, the session is terminated through use of "deauthentication" and "disassociation" frames. The transmission of deauthentication and disassociation frames in the ordinary course of ending a session is consistent with the 802.11 standard when used to terminate Wi-Fi communications between two devices within an existing network connection. The 802.11 protocols do not require any management, administrative control, or verification of these deauthentication and disassociation frames.
"Wi-Fi blocking" occurs when a Wi-Fi equipment operator intentionally disrupts the lawful operation of neighboring Wi-Fi networks, including through the indiscriminate use of deauthentication frames to disrupt a Wi-Fi device's link to a Wi-Fi network other than the operator's network. The deauthentication protocol could be used to engage in Wi-Fi blocking in a variety of ways. Wi-Fi blocking may be performed either manually or automatically using pre-set parameters. In all cases, the blocking operator prevents the target device from establishing or maintaining a connection with a Wi-Fi network other than that of the blocking operator. Because deauthentication frames can be transmitted more quickly than a new link can be established, the blocking operator can ensure that the targeted device or devices are unable to establish or maintain a connection to a Wi-Fi network.
Legal Framework
Key to the success of Wi-Fi is the ability of users to deploy authorized devices without a Commission license, thereby creating a "spectrum commons" - a frequency band in which spectrum can be shared successfully without Commission licensing of specific users. This is made possible by the Commission's imposition of power limits and requirements for each type of radio station that the Commission authorizes for manufacture, sale, and use in the band. As stated in the National Broadband Plan, this regulatory framework has been highly beneficial, producing "low barriers to entry and faster time to market, that have reduced costs of entry, spurred innovation and enabled very efficient spectrum usage." As described below, Wi-Fi blocking threatens to disrupt the spectrum commons and violates the Act.
Wi-Fi Operates Under Part 15 of the Commission's Rules
The operation of Wi-Fi devices is regulated by Part 15 of the Commission's rules, which governs the use and marketing of low-power, unlicensed "intentional radiators." These intentional radiators include not only Wi-Fi mobile hotspots, but a plethora of other devices, including cordless phones, baby monitors, garage door openers, wireless home security systems, and keyless automobile entry systems. Such devices are considered "unlicensed" because the Commission neither requires an operator to obtain an individual license from the Commission to use them nor licenses the operators by rule under its Section 307(e) authority.
Unlicensed use of spectrum is a critical component of the Commission's national spectrum policy. Unlicensed devices generally operate at relatively low power on frequencies shared by many other users. The Part 15 rules provide substantial flexibility in the types of unlicensed devices that can be operated. With regard to Wi-Fi devices, the Commission authorizes devices such as those used by M.C. Dean to operate in the 2.4 GHz and 5.8 GHz bands pursuant to Section 15.247 of its rules. This rule section specifies a number of technical parameters for Wi-Fi device operations, including the operating frequency, modulation technique, channel bandwidth, antenna gain limits, and maximum transmitter power output.
No Wi-Fi User has Greater Rights than Another Wi-Fi User
Wi-Fi devices operate on frequencies shared with other unlicensed devices; their rights are limited to facilitate sharing. These limits are established both in the Act and the Commission's rules. Section 333 of the Act, which Congress enacted in 1990 to protect radio communications from willful or malicious interference, provides broadly that "[n]o person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this Act or operated by the United States Government." Thus, all Wi-Fi devices are prohibited from willfully or maliciously interfering with or causing interference to authorized communications, including other Wi-Fi transmissions. Part 15 of the Commission's rules also prescribes that operation of unlicensed devices is "subject to the condition[ ] that no harmful interference is caused." The Part 15 rules define "harmful interference" as "[a]ny emission, radiation or induction that endangers the functioning of a radio navigation service or other safety services or seriously degrades, obstructs or repeatedly interrupts a radio communications service operating in accordance with this chapter."
The Enforcement Bureau (Bureau) has repeatedly and consistently warned against causing intentional interference, including to Wi-Fi transmissions. A 2011 Enforcement Advisory stated that the prohibition against devices that "intentionally block, jam, or interfere with authorized radio communications" includes Wi-Fi. Similarly, another Enforcement Advisory issued in 2012 reiterated that devices should not be used that interfere with authorized communications, including by "preventing . . . Wi-Fi enabled device[s] from connecting to the Internet." More recently, an Enforcement Advisory issued earlier this year warned that Section 333 prohibits blocking or disrupting the legitimate operation of personal Wi-Fi hotspots.
The Bureau recently entered into consent decrees with the operator of a resort hotel and convention center and an Internet provider for conventions, meeting centers, and hotels, in proceedings involving Wi-Fi blocking. In both proceedings, the companies, Marriott International, Inc. and Marriott Hotel Services, Inc. (collectively, Marriott) and Smart City Holdings, LLC (Smart City), employed Wi-Fi deauthentication to block consumers who sought to connect to the Internet using personal Wi-Fi hotpots. Marriott admitted that the Wi-Fi users it blocked did not pose a security threat to the Marriott network. Marriott agreed to settle the investigation by paying a civil penalty of $600,000 and establishing operating procedures to ensure that it does not engage in further Wi-Fi blocking. Similarly, Smart City submitted no evidence that the deauthentication was done in response to a specifically identified security threat. Smart City agreed to a civil penalty of $750,000 and to cease its Wi-Fi blocking activities.
The Enforcement Bureau's Investigation of M.C. Dean
M.C. Dean is one of the largest electrical contracting companies in the country, with estimated sales of over $700 million in 2013. M.C. Dean, which holds a common carrier license through a wholly-owned and controlled subsidiary, has provided telecommunications and Internet services, including Wi-Fi, to the BCC since at least October 2012. During the period covered by this enforcement action, M.C. Dean provided and sold wireless Internet service to exhibitors and other attendees at the BCC for at least 10 events and at least 26 days, during which at least 43,000 exhibitors and attendees were present. M.C. Dean charged $795 to $1,095 for access to the Wi-Fi it provided depending on whether the services were ordered in advance or on-site.
On October 23, 2014, the Commission received an informal complaint from a company that provides private Wi-Fi networks for exhibitors at trade shows by shipping equipment to customers around the country. The complainant stated in part that it had "just spent all morning arguing with M.C. Dean company who provides wireless [at the BCC] until they finally ceased sending de-auth signals to our router." The complainant further stated that its AP logs showed M.C. Dean engaging in Wi-Fi blocking against its equipment at the BCC and that such blocking "is a carbon copy of the Marriott case."
The next day, agents from the Bureau's Columbia Field Office visited the BCC during an exhibition and observed that Wi-Fi hotspots they established did not work inside the BCC, but did work outside of the BCC. Agents returned to the BCC on November 21, 2014, during another event and used specialized software to document that deauthentication packets were sent to Wi-Fi hotspots established by the agents. Agents made a third visit to the BCC on December 6, 2014, while two events were taking place, and again documented deauthentication packets sent to Wi-Fi hotspots they established.
During the December 6, 2014, inspection, agents spoke to an M.C. Dean employee and were told that all but two Wi-Fi channels were "restricted" by M.C. Dean at the BCC. The M.C. Dean employee said that access to the "restricted" Wi-Fi channels would require paying M.C. Dean a fee of $795 in advance or $1,095 on the day of the event. The M.C. Dean employee further said that without proper access credentials provided by M.C. Dean, its system would continually deny a user Wi-Fi access. The agents subsequently inspected M.C. Dean's network management equipment and determined that the system used Xirrus hardware and software, backed up by Cisco equipment. Following receipt of the complaint and the agents' inspections, the Bureau's Spectrum Enforcement Division undertook an extensive investigation that included sending several Letters of Inquiry to M.C. Dean and reviewing the company's written responses.
In response to the Bureau's investigation, M.C. Dean admitted that it deployed deauthentication equipment at the BCC from October 2012 until December 13, 2014, and that it used an auto-block feature that automatically detected and indiscriminately deauthenticated any unknown AP. Specifically, M.C. Dean's responses revealed that it deployed a Xirrus platform at the BCC with an auto-deauthentication function that M.C. Dean affirmatively turned on when it started using the system. The Xirrus User Manual calls the auto-block function employed by M.C. Dean the "`shoot first and ask questions later' mode." According to the manual, "[t]he Advanced RF Settings window allows you to set up Auto Block parameters so that unknown APs get the same treatment as explicitly blocked APs." M.C. Dean set up the Xirrus platform to send deauthentication frames to any unknown AP that it detected outside of the "Auto Block" parameters. When M.C. Dean classified an AP as Blocked, the Xirrus platform sent deauthentication signals to the AP, which "ha[d] the effect of disconnecting all of a Blocked AP's client devices approximately every 5 to 10 seconds," rendering the Blocked AP "frustratingly unusable."
After receiving a request for Wi-Fi blocking records at the venues it serves, M.C. Dean claimed that it could locate only one record from a June 16, 2014, science conference at the BCC attended by an estimated 6,600 people. The record lists 357 APs that the Xirrus Platform detected and classified as Blocked over 24 hours. The blocked devices associated with the blocked APs included many smartphones and even Wi-Fi devices likely located outside the convention center. For example, the record suggests that the auto-block function of M.C. Dean's system penetrated outside the BCC and targeted hotspots established by passing cars and buses for deauthentication.
M.C. Dean claims without specific support that it used deauthentication to "detect and prevent malicious attacks on the wireless network and improve network security and reliability." M.C. Dean also claims without support that its auto-blocking would have been limited because it would not have included certain brands of equipment or certain SSIDs, that it left unblocked two of the over dozen typically-available Wi-Fi channels, and that signal propagation limits may have limited the effectiveness of its Wi-Fi blocking attempts. In sum, M.C. Dean claims that it wanted to "balance its contractual obligations to offer reliable and secure wireless services at the BCC with the ability of guests to use personal Wi-Fi hot spots when visiting the venue."
M.C. Dean argues that its use of deauthentication "does not constitute `interference' within the meaning of section 333" and the Act does not prohibit interference to Part 15 devices. M.C. Dean claims that the Commission has made a distinction between "reasonable network management" and prohibited "interference," citing without explanation two Notices of Proposed Rulemaking regarding the use of cell phones in prisons and on airplanes.
M.C. Dean argues the Commission has only applied Section 333 to a limited set of circumstances that does not include Wi-Fi blocking. M.C. Dean states the equipment it used at the BCC "has been authorized by the Commission pursuant to section 302 of the [Act]" and was not operating on unauthorized frequencies or at unauthorized power levels. Finally, M.C. Dean argues that, as a matter of due process, it did not receive "fair notice of the conduct that is forbidden" because its equipment is not a "jammer," Enforcement Advisories "do not represent decisions of the Commission," and only recent Enforcement Advisories warned that Section 333 prohibits willful and malicious interference to Part 15 devices.
Discussion
Based on the facts of this case, we find that M.C. Dean apparently violated Section 333 of the Act through its use of deauthentication frames to intentionally disrupt Wi-Fi devices that were lawfully and legitimately operating on shared spectrum, and propose a $718,000 forfeiture for such apparent violations.
M.C. Dean's Wi-Fi Blocking Apparently Violated Section 333 of the Act
We find that M.C. Dean apparently repeatedly violated Section 333 of the Act by maliciously blocking Wi-Fi hotspot communications at the BCC in the past year. As discussed below, there are three key elements to our finding: (i) M.C. Dean engaged in Wi-Fi blocking; (ii) Wi-Fi blocking constitutes "malicious interference;" and (iii) Wi-Fi devices are "authorized station[s]." We also find that M.C. Dean's asserted motivation to prevent congestion and its reliance on security protocols do not justify its Wi-Fi blocking at the BCC. We similarly reject M.C. Dean's arguments that Wi-Fi blocking does not violate the law or that it did not have sufficient notice that Wi-Fi blocking was illegal.
M.C. Dean Engaged in Wi-Fi Blocking
There is ample evidence that M.C. Dean engaged in widespread and indiscriminate Wi-Fi blocking during the past year. M.C. Dean admits that it deployed a system with an automatic Wi-Fi blocking capability at the BCC and enabled such automatic blocking until December 13, 2014. Indeed, the Xirrus system manual called the aggressive auto-blocking function "`shoot first and ask questions later' mode." In addition, Commission Field agents observed dropped Wi-Fi hotspot Internet connections and deauthentication packets sent by M.C. Dean's system during multiple visits to the BCC. During those visits, an M.C. Dean employee said the company "restricted" all but two Wi-Fi channels at the BCC for all Wi-Fi networks and required payment to M.C. Dean for access to Wi-Fi. The record provided by M.C. Dean, moreover, shows many instances of deauthentication over a 24-hour period during just one event at the BCC. The record also shows that hotspots generated by typical smartphones would have been blocked, as shown by the near universal blocking of APs associated with iPhones or Samsung phones, and suggests that M.C. Dean's system even targeted Wi-Fi devices located outside the BCC for deauthentication. M.C. Dean's claims of limitations to its Wi-Fi blocking do not convince us that such blocking was not automatic and commonplace, rendering consumer mobile hotspots "frustratingly unusable." M.C. Dean presents no evidence that any possible limitations materially impacted the likelihood that someone in the BCC attempting to use their own Wi-Fi hotspot would not have been blocked. Finally, M.C. Dean concedes that it charged consumers hundreds of dollars or more to connect to its Wi-Fi network in the BCC, and these charges clearly gave M.C. Dean a financial incentive to use its blocking capability. Thus, we conclude based on the totality of the evidence that M.C. Dean engaged in Wi-Fi blocking for several months during the past year. We leave our analysis of the frequency of M.C. Dean's blocking activity to Section III.B, below, in which we discuss the proposed forfeiture amount.
Wi-Fi Blocking Constitutes "Malicious Interference" Prohibited by Section 333 of the Act
Under the circumstances presented here, M.C. Dean's use of deauthentication frames with the intent to prevent third-party Wi-Fi devices from establishing or maintaining their own networks independent from M.C. Dean's Wi-Fi network constitutes "interfer[ing] with or interference to [] radio communications" within the plain meaning of Section 333 of the Act. For purposes of Part 15, the Commission defines "harmful interference" as "[a]ny emission, radiation or induction that endangers the functioning of a radio navigation service or of other safety services or seriously degrades, obstructs or repeatedly interrupts a radio communications service operating in accordance with this chapter [Part 15]." Deauthentication degrades, obstructs, and interrupts the radio communications between two third-party wireless networking devices. Section 333, moreover, not only prohibits one from causing "interference to" any radio communications, but also prohibits anyone from "interfer[ing] with" such communications. The statute's two-part characterization of its prohibition against the disruption of radio communications constitutes a broad use of the concept of "interference," without limiting it to the radiofrequency (RF) component of a device's operations. The Commission has, in other contexts, similarly interpreted the Section 333 concept of "interference" to include disruptions caused by actions other than RF interference. For example, in the amateur radio service context, the Commission found the "refusal by an operator to allow any other operator to talk" to be a violation of Section 333. That communications are obstructed through the use of a standard protocol is no defense to Section 333. Here, M.C. Dean would not allow mobile hotspots to connect to the Internet via a non-M.C. Dean approved network connection - thus intentionally obstructing lawful communication.
This broad interpretation of interference is consistent with the provision's legislative history, which includes the following specific examples of interference:
* intentional jamming, deliberate transmission on top of the transmissions of authorized operators already using specific frequencies in order to obstruct their communications, repeated interruptions, and the use and transmission of whistles, tapes, records, or other types of noisemaking devices to interfere with the communications or radio signals of other stations.
* Given the plain meaning of Section 333 and its legislative history, and consistent with the basic canon of statutory interpretation referenced above, we conclude that Wi-Fi blocking constitutes a type of disruption to the use of spectrum that falls within the scope of Section 333's prohibition against interfering with or interference to radio communications.
Finally, the Wi-Fi blocking engaged in here appears to have been malicious, as M.C. Dean sought to cause, and in fact did cause, harmful interference to lawfully operated third-party networks. M.C. Dean established its blocking capability and used it with the specific intent to block the use of Wi-Fi by consumers not on its network. M.C. Dean knew that its system would cause interference to other Wi-Fi devices - in fact, that was the company's goal. As discussed elsewhere, M.C. Dean charged prices ranging from the hundreds to the thousands of dollars to exhibitors and others for Wi-Fi access that they should have been able to obtain directly through their own data plans. The company applied the "shoot first, ask questions later" setting on its equipment, leading to Wi-Fi blocking not only of persons in the BCC but even of passing Wi-Fi enabled vehicles. And M.C. Dean knowingly performed this conduct for over two years, including for two months after the Marriott consent decree.
Finding malicious interference here is consistent with other cases in which a party was found to have maliciously interfered with another when the interfering party deliberately sought to prevent the other person from transmitting communications signals on a given frequency. For example, the Commission has found malicious interference where an individual knowingly rendered his target's radios unusable by transmitting National Oceanic and Atmospheric Administration weather radio over the target's licensed channels. In that case, the interfering party "operated a radio . . . on the specific frequencies assigned and licensed by the Commission to [a third party], for the explicit and expressed purpose of prohibiting [the third party's] use of its licensed frequencies." These actions were found to constitute repeated acts of intentional and malicious interference," as they "cut at the heart of the Commission's responsibilities to protect the nation's airwaves and regulate use of the spectrum."
Wi-Fi Devices Are "Stations" Within the Meaning of Section 333 of the Act
Section 333 applies to "any station licensed or authorized by or under [the] Act." The devices at issue here - the APs and devices that were blocked - squarely fall within the meaning of "stations" as used in Section 333. Section 3 of the Act broadly defines "station" as "a station equipped to engage in radio communication or radio transmission of energy." In addition, Congress's use of the modifier "any" before "station" in Section 333 further indicates its intent that the term "station" has a broad and inclusive meaning. Congress provided several examples of radio services that would be protected from interference under Section 333, but did not limit the types of radio services or stations that would be protected. In fact, the legislative history indicates the Congress did not intend to limit interference protection to a limited set of particular radio services, but rather intended Section 333 to provide a "general prohibition against intentional interference." Thus, interpreting "any station" to encompass the Wi-Fi equipment at issue here, which is used to transmit communications and signals by radio, is consistent with the expansive language used in Sections 3 and 333 of the Act, the phrase's plain meaning, and Section 333's legislative history.
The Commission has consistently interpreted the definition of "station" to include Part 15 devices. For example, in its Ultra-Wideband Rulemaking in 2004, the Commission cited Section 303(f) of the Act, granting the Commission power to regulate to "prevent interference between stations," as authority for the Part 15 rules. And, in a 2006 proceeding to preempt airport authorities from preventing an airline from installing Wi-Fi antennas in its passenger lounge, the Commission cited Section 303(d) of the Act, granting the Commission power to "[d]etermine the location of . . . stations," as its authority. Accordingly, we conclude that the Wi-Fi devices that M.C. Dean apparently blocked at the BCC are "stations" within the meaning of Section 333 of the Act.
M.C. Dean's Network Management and Notice Claims Do Not Justify its Wi-Fi Blocking
M.C. Dean claims without any evidentiary support that its blocking was necessary to provide a reliable and secure Wi-Fi service at the BCC. But M.C. Dean was not authorized to block any lawful third-party Wi-Fi device under Section 333 of the Act, regardless of its desire to support its network. Wi-Fi operates in shared spectrum in which no user is entitled to block another in order to reduce congestion. In addition, M.C. Dean misplaces its reliance on the federal cybersecurity guidelines it cites. The recommendations in those guidelines that federal network operators have wireless intrusion detection and prevention systems do not authorize M.C. Dean (which is not a federal agency) to use those systems to send deauthentication frames to Wi-Fi users who are operating their stations as authorized to establish personal networks. In any case, M.C. Dean failed to provide any evidence supporting its claim that its blocking activity actually targeted any devices that threatened the reliability or security of its Wi-Fi network or the users of its Wi-Fi network. The record, rather, points to M.C. Dean using automatic blocking only to benefit itself commercially, to improve its system's performance, and to limit competition.
The legal arguments advanced by M.C. Dean to justify its Wi-Fi blocking are meritless. As addressed above, Wi-Fi blocking is "malicious interference" prohibited by Section 333, as demonstrated by the plain language and legislative history of the statute. In contrast to M.C. Dean's claim that Section 333 is limited to interference caused by jammers and other unauthorized operations, the statute also prohibits malicious interference to any radio communications by an authorized station. Additionally, M.C. Dean has not explained how its indiscriminate Wi-Fi blocking could be considered a permissible network management tool. The company's automatic Wi-Fi blocking did not support the management of M.C. Dean's own network, but rather the prevention of others from operating their own networks apart from M.C. Dean's service. Moreover, as explained above, M.C. Dean operates its Wi-Fi network on shared frequencies and its ability to operate on these frequencies is limited in that it must share the use of the frequencies with other devices lawfully operating on those frequencies. M.C. Dean, thus, may not operate its Wi-Fi network, including under the guise of network management, in a manner that unilaterally prevents consumers from using their own authorized devices from establishing mobile hotspots on shared spectrum through data services they already purchased. Further, the two Notices of Proposed Rulemaking cited by M.C. Dean without explanation do not alter this analysis and are irrelevant to the apparent Wi-Fi blocking violations at issue. The "reasonable network management" practices discussed in the two Notices do not authorize or condone the type of indiscriminate Wi-Fi blocking that M.C. Dean engaged in at the BCC.
M.C. Dean's claimed lack of notice is simply wrong. The Bureau has repeatedly and consistently warned, going back to 2011, that intentional blocking of Wi-Fi communications was unlawful and subject to enforcement action. These warnings and the law are not limited to "jammers," or any other specific kind of technology or equipment. As clearly stated in the 2011 Enforcement Advisory, "it is a violation of federal law to use devices that intentionally block, jam, or interfere with authorized radio communications such as . . . Wi-Fi." Here, regardless of the technology used, M.C. Dean did just that - intentionally blocked, jammed, and interfered with hundreds of consumers' Wi-Fi hotspots in violation of the law. Additionally, the Consent Decree with Marriott in October 2014 provided notice that the Commission could consider Wi-Fi blocking a violation of Section 333 of the Act. Further, the fact that M.C. Dean purportedly failed to understand that Wi-Fi blocking violated the law does not excuse its apparent violations because the Commission "does not consider ignorance of the law a mitigating factor."
Proposed Forfeiture
Section 503(b) of the Act authorizes the Commission to impose a forfeiture against any entity that "willfully or repeatedly fail[s] to comply with any of the provisions of [the Act] or of any rule, regulation, or order issued by the Commission." Section 503(b)(2)(B) of the Act authorizes us to assess a forfeiture against M.C. Dean, a holder of a common carrier license, of up to $160,000 for each day of a continuing violation, up to a statutory maximum of $1,575,000 for a single act or failure to act. In exercising our forfeiture authority, we must consider the "nature, circumstances, extent, and gravity of the violation and, with respect to the violator, the degree of culpability, any history of prior offenses, ability to pay, and such other matters as justice may require." In addition, the Commission has established forfeiture guidelines; they establish base penalties for certain violations and identify criteria that we consider when determining the appropriate penalty in any given case. Under these guidelines, we may adjust a forfeiture upward for violations that are egregious, intentional, or repeated, or that cause substantial harm or generate substantial economic gain for the violator.
Section 1.80 of the Commission's rules and the Commission's Forfeiture Policy Statement set a base forfeiture of $7,000 for interference to authorized communications for each violation or each day of a continuing violation. We have discretion, however, to depart from these guidelines, taking into account the particular facts of each individual case.
We find that M.C. Dean apparently repeatedly violated Section 333 of the Act by maliciously blocking Wi-Fi hotspot communications at the BCC in the past year. As described above, the initial complaint, the three visits by FCC field agents, the automatic and indiscriminate Wi-Fi blocking technology that M.C. Dean admits to deploying from October 2012 to December 13, 2014, and M.C. Dean's own record of large numbers of consumer devices over a single 24-hour period at a BCC event in June 2014 all demonstrate a high likelihood that M.C. Dean engaged in Wi-Fi blocking whenever it was providing service and there was an event at the convention center. We find it reasonable to conclude that a violation apparently took place every day there was an event at the BCC within the past year and M.C. Dean sold Wi-Fi to the event planner or event exhibitors. The evidence demonstrates that deauthentication undoubtedly took place when there were events held at the BCC. M.C. Dean's submissions show that at least 10 events took place at the BCC on at least 26 days over the past year where M.C. Dean sold Wi-Fi service.
Based on its account of the BCC events it served, we find that M.C. Dean blocked Wi-Fi devices at the BCC on at least 26 days. Consistent with 503(b) of the Act, Section 1.80 of the Commission's rules, and the Forfeiture Policy Statement, we begin our calculation with the base forfeiture of $7,000 for each of the 26 days, resulting in a total base forfeiture of $182,000 for M.C. Dean's apparent Wi-Fi blocking violations.
Given the totality of the circumstances, and consistent with the Forfeiture Policy Statement, however, we also conclude that a significant upward adjustment is warranted here. In this case, we upwardly adjust for M.C. Dean's ability to pay, the egregious nature of its violations in light of the importance of Wi-Fi capability to consumers, and the repeated and continuous nature of its violations.
First, to ensure that a proposed forfeiture is not treated as simply a cost of doing business, the Commission has determined that large or highly profitable companies should be subject to proposed forfeitures that are substantially above the base forfeiture amount. Industry publications state that M.C. Dean had over $700 million in sales in 2013 and list M.C. Dean as one of the largest electrical contractors in the county. Thus, to ensure that the forfeiture is an effective deterrent for M.C. Dean as well as to protect the interests of consumers, an upward forfeiture adjustment based on M.C. Dean's relative ability to pay is justified.
Second, M.C. Dean's blocking activities are a particularly egregious form of misconduct that warrants a substantial increase to the base forfeiture for unlawful interference provided in the Commission's rules. Wi-Fi blocking runs counter to fundamental Commission principles by stymieing wireless innovation, competition, and the availability of Wi-Fi as an important Internet access technology. By preventing consumers, including exhibitors and attendees, from using previously purchased devices and data plans to establish Wi-Fi hotspots, M.C. Dean forced them to pay anywhere from hundreds to thousands of dollars for Wi-Fi access that they should have been able to obtain directly through their data plans. Over 43,000 exhibitors and attendees were present at the events where M.C. Dean engaged in Wi-Fi blocking during the period covered by this enforcement action. As described above, M.C. Dean affirmatively applied blocking criteria at the BCC that led to automatic blocking of lawful, off-the-shelf consumer devices operating at normal power levels. Additionally, M.C. Dean's unlawful conduct continued for two and half months after release of the Marriott Consent Decree. It was only after M.C. Dean became aware that it was being investigated by the Commission that it stopped Wi-Fi blocking.
Additionally, substantial evidence suggests that M.C. Dean's system detected and blocked some APs likely located outside of the BCC. In the records provided by M.C. Dean, every AP associated with "Ford" and "Bolt Bus" was identified as Blocked, suggesting the M.C. Dean system deauthenticated Wi-Fi networks generated by Ford vehicles and Bolt Buses that passed the BCC. This behavior, which impaired thousands of consumers' use of their lawful Wi-Fi devices is malicious and shows a pattern of conduct "suggest[ing] egregious misbehavior" warranting an upward forfeiture adjustment.
Lastly, M.C. Dean admits it deployed its Wi-Fi blocking equipment for a substantial period outside the statute of limitations and that its blocking activities continued for an extended period of time, including blocking after the issuance of the Marriott Consent Decree. M.C. Dean turned on the auto-block function in October 2012, resulting in the deauthentication of Wi-Fi hotspots for BCC visitors for over two years before M.C. Dean claims it ceased its blocking activities in December 2014. Such repeated or continuous violations also warrant a significant upward forfeiture adjustment. Based on the foregoing, an overall upward adjustment of $536,000 is warranted, bringing the overall proposed forfeiture amount to $718,000.
In applying the applicable statutory factors, we also consider whether there is any basis for a downward adjustment of the proposed forfeiture. Here, we find none. The malicious blocking of Wi-Fi hotspots is not a minor violation and M.C. Dean neither voluntarily disclosed its apparent violations nor ceased blocking until after the Bureau began its investigation. While M.C. Dean previously maintained a history of compliance with the Commission's rules, we also find no reason to reduce the proposed forfeiture in light of the egregious, intentional, and repeated nature of the apparent violations.
Conclusion
We have determined that M.C. Dean apparently repeatedly violated Section 333 of the Act and is apparently liable for a forfeiture of $718,000.
Ordering Clauses
Accordingly, IT IS ORDERED that, pursuant to Section 503(b) of the Act and Section 1.80 of the Commission's rules, M.C. Dean, Inc. is hereby NOTIFIED of its APPARENT LIABILITY FOR A FORFEITURE in the amount of seven hundred, eighteen thousand dollars ($718,000) for repeated violations of Section 333 of the Act.
IT IS FURTHER ORDERED that, pursuant to Section 1.80 of the Commission's rules, within thirty (30) calendar days of the release date of this Notice of Apparent Liability for Forfeiture, M.C. Dean, Inc. SHALL PAY the full amount of the proposed forfeiture or SHALL FILE a written statement seeking reduction or cancellation of the proposed forfeiture consistent with paragraph 49 below.
Payment of the forfeiture must be made by check or similar instrument, wire transfer, or credit card, and must include the NAL/Account Number and FRN referenced above. M.C. Dean, Inc. shall send electronic notification of payment to Jason Koslofsky at Jason.Koslofsky@fcc.gov, Pamera Hairston at Pamera.Hairston@fcc.gov and Samantha Peoples at Sam.Peoples@fcc.gov on the date said payment is made. Regardless of the form of payment, a completed FCC Form 159 (Remittance Advice) must be submitted. When completing the FCC Form 159, enter the Account Number in block number 23A (call sign/other ID) and enter the letters "FORF" in block number 24A (payment type code). Below are additional instructions that should be followed based on the form of payment selected:
* Payment by check or money order must be made payable to the order of the Federal Communications Commission. Such payments (along with the completed Form 159) must be mailed to Federal Communications Commission, P.O. Box 979088, St. Louis, MO 63197-9000, or sent via overnight mail to U.S. Bank - Government Lockbox #979088, SL-MO-C2-GL, 1005 Convention Plaza, St. Louis, MO 63101.
* Payment by wire transfer must be made to ABA Number 021030004, receiving bank TREAS/NYC, and Account Number 27000001. To complete the wire transfer and ensure appropriate crediting of the wired funds, a completed Form 159 must be faxed to U.S. Bank at (314) 418-4232 on the same business day the wire transfer is initiated.
* Payment by credit card must be made by providing the required credit card information on FCC Form 159 and signing and dating the Form 159 to authorize the credit card payment. The completed Form 159 must then be mailed to Federal Communications Commission, P.O. Box 979088, St. Louis, MO 63197-9000, or sent via overnight mail to U.S. Bank - Government Lockbox #979088, SL-MO-C2-GL, 1005 Convention Plaza, St. Louis, MO 63101.
Any request for making full payment over time under an installment plan should be sent to: Chief Financial Officer - Financial Operations, Federal Communications Commission, 445 12th Street, S.W., Room 1-A625, Washington, DC 20554. Questions regarding payment procedures should be directed to the Financial Operations Group Help Desk by phone, 1-877-480-3201, or by e-mail, ARINQUIRIES@fcc.gov.
The written statement seeking reduction or cancellation of the proposed forfeiture, if any, must include a detailed factual statement supported by appropriate documentation and affidavits pursuant to Sections 1.16 and 1.80(f)(3) of the Commission's rules. The written statement must be mailed to the Office of the Secretary, Federal Communications Commission, 445 12th Street, S.W., Washington, DC 20554, ATTN: Enforcement Bureau - Spectrum Enforcement Division, and must include the NAL/Account Number referenced in the caption. The statement must also be e-mailed to Jason Koslofsky at Jason.Koslofsky@fcc.gov and Pamera Hairston at Pamera.Hairston@fcc.gov.
The Commission will not consider reducing or canceling a forfeiture in response to a claim of inability to pay unless the petitioner submits: (1) federal tax returns for the most recent three-year period; (2) financial statements prepared according to generally accepted accounting practices; or (3) some other reliable and objective documentation that accurately reflects the petitioner's current financial status. Any claim of inability to pay must specifically identify the basis for the claim by reference to the financial documentation.
IT IS FURTHER ORDERED that a copy of this Notice of Apparent Liability for Forfeiture shall be sent by first class mail and certified mail, return receipt requested, to Bennett L. Ross, Wiley Rein LLP, Counsel to M.C. Dean, Inc., at 1776 K Street NW, Washington, DC 20006.
FEDERAL COMMUNICATIONS COMMISSION
Marlene H. Dortch
Secretary
DISSENTING STATEMENT OF
COMMISSIONER AJIT PAI
Re: M.C. Dean, Inc., File No. EB-SED-15-00018428.
Before the FCC can enforce rules, rules must exist. That's why I believe that the FCC should adopt rules that limit Wi-Fi blocking. Wi-Fi blocking occurs when a person uses an unlicensed Part 15 device to intentionally disrupt the operation of another unlicensed Part 15 device, such as a mobile hotspot that a consumer sets up to connect a Wi-Fi-enabled device to the Internet via his or her smartphone. I also believe that those rules should make clear that no person has carte blanche to intentionally disrupt another person's Wi-Fi connection.
Over a year ago, parties petitioned the FCC to enact such regulations. They asked the FCC to establish clear rules of the road through an industry-wide rulemaking. As one might expect, commenters responding to the petition offered very different takes on what any such rules should look like. Some argued that Wi-Fi blocking should not be allowed under any circumstance. Others argued that deauthentication is part of the IEEE 802.11 standard and should be permitted when necessary to ensure network security, such as to shut down access-point spoofing or other cyberattacks. Regardless, a broad cross section of groups agreed that the FCC should provide guidance. But instead of doing so, either in response to that petition or otherwise, Commission leadership made it abundantly clear that such guidance would not be forthcoming, and the agency ultimately dismissed the petition.
Flash forward to today. In this case, the Commission proposes to fine a company $718,000 for engaging in Wi-Fi blocking. But here's the rub. Because the Commission dropped the ball earlier this year, we do not have any rules that limit Wi-Fi blocking. Indeed, the only relevant rules we have on the books preclude liability in these circumstances.
To be sure, the Notice of Apparent Liability (NAL) takes a contrary position. It asserts that the Commission did not need to adopt or modify any rules because of section 333 of the Communications Act. That section states that "[n]o person shall willfully or maliciously interfere with or cause interference to any radio communications," and the agency argues that it has always prohibited the operator of an unlicensed Part 15 device from intentionally disrupting the operation of another unlicensed Part 15 device. But the Commission's attempt to apply section 333 to interference between Part 15 devices fails as a matter of law.
First, by definition, a Part 15 device cannot cause harmful interference to another Part 15 device. Under the agency's rules, a Part 15 device can cause harmful interference to a device operating in a licensed service, such as in a cellular band, and such interference is prohibited. But because of the shared, "commons" model that applies to all unlicensed operations, the Commission has repeatedly held that "interference caused to a Part 15 device by another Part 15 device does not constitute harmful interference." Whether that should be the law is a question worth exploring, as I've noted above. But it is the law now. That fact is fatal to the NAL's attempt to apply section 333 to unlicensed operations because it means that the Commission is proposing to fine a company for doing something that the FCC says carries no legal liability -- namely, operating a Part 15 device in a manner that intentionally disrupts the operation of another Part 15 device.
Second, and relatedly, section 333 does not apply because the FCC's Part 15 rules provide that unlicensed devices must accept any and all interference they receive, regardless of the source of that interference. As the Commission has determined, "[i]t does not matter who operates the unlicensed equipment or the purpose for which the equipment is used -- no protection against received interference is provided or available." Thus, as Cisco has explained, "[i]t simply cannot be that a Part 15 device is both unprotected against interference under Section 15.5(b) [of the Commission's rules] but protected against interference under Section 333" of the Communications Act.
So how does the NAL reconcile its newfound take on section 333 with these longstanding Commission rules and precedents? It doesn't. It simply recites the part of section 333 that says "[n]o person shall willfully or maliciously interfere with or cause interference to any radio communications" and asserts that, a fortiori, the provision prohibits a Part 15 device from interfering with another Part 15 device. But what about the FCC's decision to define harmful interference in a way that excludes Part 15 devices? What about the agency's decision to require Part 15 devices to accept any and all interference? These still-binding rules and precedents are ignored entirely.
Moreover, attempting to apply section 333 to unlicensed operations is not just contrary to law, it produces absurd and illogical results. Think about it. By the very nature of their shared use of spectrum, unlicensed devices routinely interfere with each other. When someone at a coffee shop uses Wi-Fi to surf the Internet or someone else relies on a Bluetooth connection to play music over a wireless speaker, they may very well be interrupting or causing harmful interference to another unlicensed device. Does anyone seriously believe that these routine uses of unlicensed technology violate section 333? I would hope not.
Yet that is exactly the result that the NAL's reading of section 333 compels. The provision prohibits any person from "willfully" interfering with covered communications. And recall that both the Communications Act and the FCC define "willful" as the conscious decision to act, irrespective of a person's motivation or intent to violate the law. So if section 333 applies to unlicensed operations, then that necessarily means that every time a consumer uses Wi-Fi, Bluetooth, or any other unlicensed technology, the FCC could find that they have willfully interfered with another unlicensed device in violation of federal law and thus subject them to millions of dollars in fines. It would make no difference that the consumer did not intend to disrupt lawful communications. This absurd outcome illustrates why the FCC has never read section 333 as applying to interference between unlicensed devices.
At the very least, all of this underscores a final reason why the Commission cannot lawfully apply section 333 in this case -- it has failed to comport with due process. As explained above, I believe it is clear that Wi-Fi blocking is currently lawful under the Commission's rules. But even if I am wrong about that, the Commission's case would still founder. That is because it is certainly not clear that Wi-Fi blocking is currently unlawful under the Commission's rules. And a core principle of the American legal system is that the government cannot sanction you for violating the law unless it has told you what the law is. In the regulatory context, due process is protected, in part, through the fair warning rule.
Specifically, the D.C. Circuit has stated that "[i]n the absence of notice -- for example, where the regulation is not sufficiently clear to warn a party about what is expected of it -- an agency may not deprive a party of property." Thus, an agency cannot at once invent and enforce a legal obligation.
Yet that is precisely what has happened here. Prior to this NAL, the Commission never interpreted section 333 as prohibiting interference between unlicensed devices. The 2011 and 2012 Bureau-level Enforcement Advisories to which the NAL points certainly didn't. They simply reminded consumers that they cannot use jammers -- which are not Part 15 devices and have no lawful application -- regardless of whether those jammers interfere with a licensed service or Wi-Fi communications. They have nothing to do with interference between Part 15 devices and whether such interference constitutes a violation of section 333. Nor could they, given the full Commission's determination that Part 15 devices cannot cause harmful interference, as discussed above.
Nor is the NAL right to rely on two Bureau-level consent decrees to satisfy the fair-warning rule. By their very terms, those documents state that they "do[] not constitute either an adjudication on the merits or a factual or legal finding or determination regarding any compliance or noncompliance with the Communications Law."
* * *
There is widespread agreement that we should take action to limit Wi-Fi blocking. The disagreement is over how we should go about doing that. I believe that we should adopt rules that clearly set forth when Wi-Fi blocking is unlawful and when, if ever, it is lawful. And I stand ready to work with my colleagues to craft such rules and then enforce them. But I cannot support taking enforcement action against a party that has not violated any statutory provision or Commission rule.
In the end, this decision is the latest evidence that the FCC's enforcement process has gone off the rails. Instead of dispensing justice by applying the law to the facts, the Commission is yet again focused on issuing headline-grabbing fines. And while I have no doubt that this NAL will generate plenty of press, I cannot support this lawless item. Therefore, I respectfully dissent.
DISSENTING STATEMENT OF
COMMISSIONER MICHAEL O'RIELLY
Re: M.C. Dean, Inc., File No.: EB-SED-15-00018428, NAL/Acct. No.: 201532100008, FRN: 0011134921, Notice of Apparent Liability for Forfeiture
A little over a year ago, I became aware of the contention that the use of deauthentification technology to manage Wi-Fi systems violates section 333 of the Communications Act. I respectfully requested that the Commission undertake a rulemaking or other proceeding to consider this issue more thoroughly, instead of pursuing an enforcement action. This seemed like a reasonable request when there was already a petition - and corresponding comments - on file. Alas, my request was rejected and the petition eventually withdrawn (conveniently after some of the petitioners entered into a consent decree with the Enforcement Bureau), leaving the substantive concerns unaddressed. So that brings us to another suspect enforcement item without the underlying work being done.
As a strong supporter of what Wi-Fi can bring to consumers and the marketplace, I am extremely sympathetic to concerns regarding certain operators needlessly interfering with access points. I, however, cannot agree with the expansive reading of the statute contained in this item, especially without the Commission conducting a more thorough review of the issues raised in the earlier proceeding and repeated in the context of this enforcement matter.
Section 333 prohibits willful or malicious interference "to any radio communication of any station licensed or authorized by or under this Act." There is no clear intent that Congress meant to ensnare Part 15 devices when it used the word "station." The legislative history highlights several services and contains language that indicate that Congress meant to protect stations that are licensed or licensed by rule, as opposed to unlicensed spectrum or devices, which are never mentioned, even though Part 15 was in existence decades before section 333 was adopted.
There are legitimate concerns that equating Part 15 devices to "stations" appears inconsistent with prior Commission actions and could have serious regulatory repercussions for unlicensed users. For instance, if such devices are "stations," would they be subject to other licensing provisions of the Act, such as foreign ownership restrictions and transfer of control provisions, among others? The Commission has never applied these sections to Wi-Fi operators. In fact, devices and stations traditionally have been treated differently under both the statute and Commission rules.
Some have also raised whether the use of deauthentification frames constitutes interference under section 333. For example, the Commission's definition of interference is "[t]he effect of unwanted energy due to one or a combination of emissions, radiations, or inductions upon reception in a radiocommunication system, manifested by any performance degradation, misinterpretation, or loss of information which could be extracted in the absence of such unwanted energy." It appears that this provision applies to mechanisms that intentionally cause electromagnetic interference, such as jammers, and not to deauthentification frames, which do not increase the level of energy overpowering communications signals in an area.
There is also a debate regarding potential inconsistencies between section 333 and the Part 15 rules. Under section 15.5(b) of the Commission's rules, unlicensed devices can cause interference to and must accept interference from other Part 15 devices. On the other hand, if section 333 applies to a Part 15 device, such a device would be prohibited from "willfully and maliciously interfer[ing] with or caus[ing] interference to" other unlicensed devices. This language appears to directly contravene the language of section 15.5(b). If applied, the statutory language of section 333, as written, could undermine the regulatory structure of unlicensed operations and potentially subject all Wi-Fi users to potential enforcement action whenever they "willfully" operate Wi-Fi equipment.
Despite these valid concerns, we are, once again, trying to set important and complex regulatory policy by enforcement adjudication. This is backward and not the best course of action. Besides this Notice of Apparent Liability, the Commission has never considered whether using deauthentification software violates the statute or Commission policy. The Enforcement Bureau - not the Commission - has issued two consent decrees and four enforcement advisories, three of which are actually about
jammers. Enforcement advisories and consent decrees do not serve as Commission precedent. Moreover, the last advisory, which the Enforcement Bureau must have found necessary due the unclear regulatory state, was released after the suspected behavior in this case. Even if one accepts the belief that such advisories are worth something, how is that sufficient notice or fair?
The simple, which happens to correspond to the appropriate, solution to this controversy, is to either seek Congressional clarification or conduct a broad rulemaking on the potential reach of section 333 to Part 15 devices. That way all views can be explored by the Commission and objectors would have a remedy process via the court system.
As a side note, this item, yet again, fails to state with particularity how the Commission calculated the upward adjustment. I continue to be unable to support upward adjustments that are meant to penalize entities for potential violations outside of the statute of limitations period.
For the reasons stated above, I dissent.