Open Wi-Fi May Become Illegal In India

chromoZ writes with word that because of the serial blasts in Indian cities (and terrorist outfits claiming responsibility via email, often sent via Cyber Cafes and open Wi-Fi spots), sharing unsecured wireless access may get much tougher in India: "The Telecom Regulatory Authority of India (TRAI) after studying open Wifi networks is coming up with a set of guidelines and recommendations to secure them. 'All ISPs may be instructed to ensure that their subscribers using wireless devices must use effective authentication mechanisms and permit access to internet to only authorised persons using wireless devices.' An open Wi-Fi could be as much as illegal in India after this."

Proxies

[Lucky75 (1265142)]

What about proxies or tunnels then?

mail box

[by Anonymous Coward]

Wont they use the mail box down the street?.

Solution: authorize everyone

[noidentity (188756)]

All ISPs may be instructed to ensure that their subscribers using wireless devices must use effective authentication mechanisms and permit access to internet to only authorised persons using wireless devices.

Simple solution: authorize everyone with WiFi capability to access your network. The authentication is very strong, as anyone without WiFi capability will absolutely not be allowed to connect.

Re:

[idontgno (624372)]

That fails the "authenticate" requirement. In fact, it completely ignores that authentication (clearly and accurately ascertaining the identity of the connection user) is intended to be a mandatory precondition to access.

By analogy (not a car analogy, sorry), if you operate a liquor store and your local jurisdiction imposes an age-verification requirement (authenticate purchaser's age) before you can make a sale of an intoxicating controlled beverage (authorize the transaction), your solution is to ignore t

Re:What are you supposed to authenticate?

[idontgno (624372)]

With the drink, it's "authenticate how old they are."

With wifi, it's "authenticate who they are."

See, the parallel construction works just fine. It's not that much of a stretch.

Now, within the letter of this "law", you could still allow "anonymous" access:

WAP: "Who are you?"
User: "I'm A. Nony Mouse".
WAP, to himself: "Is 'A. Nony Mouse' allowed access? Since the authorized users list is the regular expression '.*', yes, he is authorized."
WAP: "Welcome, Mr. Mouse"

Perfect compliance with the stated guidelines. Note the absence of any requirement:

• to validate that an identity is genuine
• to log or retain the submitted identity
• to limit access in any fashion

Futility. It doesn't take that much cleverness to obey the guideline and still carry on as usual.

If the authorities are serious about stamping out WAP-based anonymity, they're gonna have to try harder.

Re:What are you supposed to authenticate?

[Venik (915777)]

With wifi, it's "authenticate who they are."

No, not really. With wifi you are not actually authenticating the identity of the person using the connection. Not unless you assign a police officer to stand guard next to every wifi NIC and check photo IDs. With wifi all you can hope to authenticate is the identity of the "user" - a mythical creature that exists only in the password file. This "user" is allowed to enter because he knows a secret handshake. But you still have no idea who he is.

Re:Solution: authorize everyone

[gnick (1211984)]

Simple solution: authorize everyone with WiFi capability to access your network. The authentication is very strong, as anyone without WiFi capability will absolutely not be allowed to connect.

There's a problem there. TFS indicates that this is just a "set of guidelines and recommendations", but the title indicates that it's a potential law. If the law states that you must authorize people to use your network, it seems that they could hold you responsible for its misuse. So if somebody transmits terrorist instructions / P2Ps RIAA music / uploads kiddie porn (won't somebody think of the children!?!), they may drag you in. Even though you didn't commit the crime, you authorized somebody to use your equipment and helped facilitate the crime.

Of course, if I loan somebody my car and they run down their cheating GF, I'm probably safe unless they told me their intention ahead of time. But Internet laws are still so nebulous that the analogy may not carry over.

Re:Solution: authorize everyone

[digitig (1056110)]

if I loan somebody my car and they run down their cheating GF, I'm probably safe unless they told me their intention ahead of time. But Internet laws are still so nebulous that the analogy may not carry over.

But it must! It's a car analogy!

Of course, this does nothing

[rolfwind (528248)]

to stop the attacks in the first place. Lots of other ways to claim responsibility for attacks. As usual, it just makes the common man a criminal...

Re:Of course, this does nothing

[lysergic.acid (845423)]

yea, this is quite idiotic.

terrorists don't carry out attacks because they have open wi-fi access. they simply use open wi-fi because it's available and convenient--the same reason everyone else uses it.

if they can't access the internet via open wi-fi they'll just use other anonymous channels. what is the Indian government going to do, eliminate public computer terminals at schools and libraries? ban proxy servers? or simply outlaw anonymity altogether?

it would be just as easy to claim responsibility for a terrorist act by leaving an anonymous note or spraying graffiti onto the side of a public building at night. should all Indian citizens have to get GPS implants?

Re:Of course, this does nothing

[IcyHando'Death (239387)]

Quite true. Yet if India is anything like America, a thin layer of anti-terrorist wrapping paper is all that's needed to disguise even the most egregiously pro-corporate legislation. The telecoms want this change to reduce sharing of network connections, pure and simple.

guidelines == law??

[Locklin (1074657)]

Since when does disobeying "guidelines and recommendations" mean you are breaking the law?

Just set the ESSID to "You are authorized," then everyone using it is authorized.

Re:

[tepples (727027)]

Since when does disobeying "guidelines and recommendations" mean you are breaking the law?

The law in a given jurisdiction may condition safe-harbor provisions on compliance with "guidelines and recommendations". For example, the Online Copyright Infringement Liability Limitation Act, which has been law in the United States (home of Slashdot) for just shy of a decade, conditions a safe harbor for copyright infringement on a notice and takedown procedure.

Just set the ESSID to "You are authorized," then everyone using it is authorized.

But nobody is authenticated. The guideline appears to require both authentication and authorization.

anonymity

[EaglemanBSA (950534)]

This seems like an in-line move with the recent article about the international group working towards eliminating anonymity on the internet [slashdot.org]. How is this going to make things more secure? If I want to set off a bomb, I'm going to set off a bomb, with or without an open wireless router. Given the stated problem, this seems like an asinine response.

What a pity

[the_other_chewey (1119125)]

I recently toured Skandinavia. In every reasonably big city
(that means "more than 15 houses" over there), you can nearly
be sure to find some open access point. Of course, some of
those are cluess users using lousy default configs - but quite
a lot are deliberately open, with SSIDs like "welcome_to_stockholm".

One even ran a guestbook on the AP's port 80, accessible only
from the inside. Lots and lots of grateful people from all over
the world had left a message before mine :-)

That's the kind of culture I would like to see encouraged in
other places as well, not this "OMG terrorists" bullshit being
used as an excuse for more and more control in way too many
parts of the world.

Re:

[kypper (446750)]

I was just thinking the same. Seems to me that if you want anyone to be an 'authorized person', the above doesn't matter.

Re:

[tomz16 (992375)]

I was just thinking the same. Seems to me that if you want anyone to be an 'authorized person', the above doesn't matter.

That's cool... until one of your "authorized" persons threatens the president!

Re:What a pity

[swb (14022)]

That's the kind of culture I would like to see encouraged in
other places as well, not this "OMG terrorists" bullshit being
used as an excuse for more and more control in way too many
parts of the world.

Then vote for cultural homogeneity? There seldom seems to be OMG Terrorist! or repressive government problems when you have a homogeneous culture.

In places with highly diverse cultures, the tension and the government repression seem to get ratcheted up.

Re:What a pity

[Idiomatick (976696)]

Scandinavia is the least religious place in the world explaining well the lack of violence. Compare that to homogeneous places in africa where violent crime is incredibly high. Or compare that to Canada where we are very multi-cultural but have fairly low rates of crime. A country being homogeneous will i think lower crime but it is NOT a major factor. The places history, culture and religious fervor seems to set the pace.

Re:

[bhv (178640)]

That's funny stuff. The only thing I see our (Canada's) multi-cultural openness leading to is more Sharia-law.....yes more. Majority rules, it's only a matter of time.

Switzerland, the land of openness, is struggling to close the flood gates now. You would like to think our country could watch, learn and adjust. Alas, we are to passive about anything not having to do with hockey.

Re:

[Idiomatick (976696)]

1. Sweden (up to 85% non-believer, atheist, agnostic)

2. Vietnam

3. Denmark

4. Norway

5. Japan

6. Czech Republic

7. Finland

Do note numbers 1,3,4,7

Re:

[orzetto (545509)]

You are not looking for cultural homogeneity, you are looking for compatibility. In my work place (research institution in Germany) there are people from all over the world, only about half are German, and I still have to see any act of the slightest cultural embarrassment.

Of course, a lot of idiots are incompatible (not name-calling: look up the word "idiot") with other cultures, because they have been told their culture or race is superior, their god is the only true one, and that they should obey instead

Re:What a pity

[soren100 (63191)]

Then vote for cultural homogeneity? There seldom seems to be OMG Terrorist! or repressive government problems when you have a homogeneous culture.

That whole "cultural homogeneity" meme is just used as a dismissive tactic to avoid discussing the real reasons the Scandinavian cultures are so successful. Cultural homogeneiety is pretty prevalent in China, Russia, North Korea, Saudi Arabia, etc., just as much as in Denmark, Sweden, Norway, etc, yet those countries don't get any awards for being great places to live.

The difference is that the Scandinavian cultures are highly progressive. Education is free to all, and the government will actually pay the students to go to school, so you end up with citizens that are educated on the issues, smart enough to vote for much better government candidates, and don't fall for the "tricks" that less educated voters fall for. So -- surprise -- they don't end up with repressive govnerments. Surprise! The tax money that is generated actually goes to services that are useful to the people that pay them. The citizens get free health care, housing help, and many other services that keep their society, happy, relaxed, and stable.

In America, our education is hugely expensive, so many people don't get educated. You end up with ignorant voters --> corrupt politicians, deregulation, failing banks, and the current "socialism for the rich", complete with massive government bailouts, but only for rich investors.

In other countries, with even less educated voters, you end up with worse conditions. It's not a mystery.

Mod parent up

[Chrisq (894406)]

Good pint, cultural homogeneity may or may not be necessary but it is certainly not sufficient.

Re:

[cOdEgUru (181536)]

Last I checked, this is the overall tally

Number of lives lost in Scandinavia due to Terrorism: 0

Number of lives lost in India due to Terrorism: Atleast 635 people killed in Terrorism since 2001 (I think in reality its far more..)

http://en.wikipedia.org/wiki/Terrorism_in_India [wikipedia.org]

For all the people here, how would you start behaving the day after the first series of bomb blasts if they were to go off in major cities around US? How would your perspectives change, after the fiftieth one, and consider for a minute

Re:

[Hognoxious (631665)]

I am surprised that India hasnt opted to carpet bomb Pakistan occupied Kashmir.

Pakistan has nukes, and Indians aren't stupid.

Re:

[TheRaven64 (641858)]

You know, I'm sick of this kind of reasoning. I grew up in the UK during the Northern Ireland troubles, and terrorist bombs were a fairly regular news item. I didn't know anyone who had been killed in one, but my mother only missed one because the tube she was on was delayed. And yet, in spite of the fact we had terrorists recruiting and training a narrow strip of water away, we didn't feel the need to give up freedoms or think 'what would terrorists do with this kind of situation' before doing anything.

Re:

[oldspewey (1303305)]

seven years in to the stark reality posed by the threat of Islamic terrorism, I am surprised that India hasnt opted to carpet bomb Pakistan occupied Kashmir.

Seven years is the American viewpoint on that "stark reality" ... for Indians it's been a lot, lot longer.

Re:

[warrior_s (881715)]

What I am saying is, seven years in to the stark reality posed by the threat of Islamic terrorism, I am surprised that India hasnt opted to carpet bomb Pakistan occupied Kashmir.

A correction, its not 7 years, its almost 20 years since islamic terrorism started in India.
This [wikipedia.org] is the beginning I think, and the terrorists have never looked back.

Re:

[the_other_chewey (1119125)]

how can I guarantee against illegal activities on my internet connection?

You can't. The probability for it to happen is rather low though (especially if you are not
the only one doing it), and (IMHO) that risk is way outweighed by the advantages for the
commonality - and that's where the need for a sane political and legal environment comes in:
To protect the AP owner from being liable for everything that goes on over said AP.

Laws like that don't prevent anything, someone determined will still find a way to do whatever
would have been possible over an open AP via some other m

Re:

[eosp (885380)]

In Sweden, it is common to either leave one's door unlocked so that passers-by can use the restroom, or have the house laid out such that a restroom is accessible from outside without passing through the house.

How?

[camperdave (969942)]

All ISPs may be instructed to ensure that their subscribers using wireless devices must use effective authentication mechanisms and permit access to internet to only authorised persons using wireless devices.

And just how are the ISPs supposed to be able to accomplish this? Are they going to have people wardriving all around India, sniffing out open wifi, then seeing if it traces back to one of their customers? Or is a strongly worded email sufficient?

Re:

[Rayeth (1335201)]

I suppose they could require every wireless AP to authenticate its users to a RADIUS server [wikipedia.org]. Of course that means strict control over all the types of APs used and no one really wants that, but that would certainly provided the authentication, albeit being a giant pain for the ISP and the customers.

The technologies exist, they just aren't cheap or very user friendly.

Re:

[clevelandguru (612010)]

Usually the ISP provides the WiFi device (DSL Modem/Router/WiFi all in a single box) and an ISP technician installs it for the user.

Prepaid SIM cards in India ...

[oldspewey (1303305)]

Of all the countries I've traveled, India is far and away the biggest pain in the ass to get hold of a simple prepaid SIM to stick in your cellphone. Even a little hole-in-the-wall shop wants you to fill out a detailed form, provide identification to be photocopied, provide a valid address while staying in India ... all because they don't want terrorists to be able to use throwaway phones for planning and coordination of attacks.

I'm not at all surprised to see this mindset being extended into other wireless communications

One thing to keep in mind - while America received their "wake up call" in September 2001, there are other nations like India that have been battling terrorism on home soil for several decades. It's worth paying close attention to what these other nations are doing today, if you want clues to what America might be doing tomorrow.

Re:Prepaid SIM cards in India ...

[TheRaven64 (641858)]

We were battling terrorism in the UK for decades, coming over from Ireland. Most of it was funded by the US. We pretty much ignored it - you'd get a short snipped on the news about it and then back to work. September 2001 was a wake-up call for our government too - they learned from the USA that they could use terrorism as a way of gaining more control over individual lives, rather than it just being a minor irritation.

Re:

[c (8461)]

> Even a little hole-in-the-wall shop wants you to fill out a detailed
> form, provide identification to be photocopied, provide a valid
> address while staying in India

Yes, but did you instead try:

1. slipping the shop $250 (or 250 euros) or some other reasonable multiple of a month/year salary?
2. use fake id/contact info
3. pull a gun and threaten to kill their entire extended family if the phone stopped working within days
4. ask your cousin behind the counter to stop screwing around and just give y

When open wi-fi is outlawed...

[johnny cashed (590023)]

You know, only outlaws will open wi-fi. Seriously, terrorists will use cracking techniques to open "closed" wi-fi networks. From what I understand, wi-fi security is weak and easily cracked anyway.

Re:

[Overzeetop (214511)]

Well, it is in the name of preventing the high crime of "taking credit for a terrorist act via email" (note that if it had been "...on the internet" it could have been patented).

Apparently, somebody got frustrated that they couldn't track down the low level flunkie who sent the message because it was done on an uncontrolled wifi connection. Apparently, while the terrorists are good at using anonymous email, they lack the skills to send a letter anonymously through physical post without leaving those key ide

Post-Fix

[aalu.paneer (872021)]

The current Indian government is the most ineffective and clueless one. The emails are sent after the bombs have gone off, after the victims are dead or injured. The damage is done. The terrorist will find another way of sending their message. Shutting down Open Wi-fi will achieve nothing!

Mod parent up.

[TheLink (130905)]

Yeah exactly what I was thinking.

If they really want to catch terrorists, perhaps the government should secretly sponsor many free open wifi spots - fast access, no blocking etc.

And then log the traffic, mac addresses and rough physical locations (you can do triangulation to figure where the users are).

And also plant cameras in the vicinity.

So when the bombers log on to brag about it, there is a higher chance of the cops being able to pick them up for "investigation".

It's even great that they use email - yo

That's a relief!

[roystgnr (4015)]

Traceroute tells me that it's 26 hops from me to the first computer in India I tried, and that looks like it's getting dangerously close to their default 30 hop max. Now, I don't know enough about network protocols to be sure of the best way to prune that route back if it grows to 27 hops, but I bet this new idea of singling out the guy running router number 26 and arresting him should work just fine. Clearly India's regulators know almost as much as I do about the Internets!

Background.

[Vellmont (569020)]

For anyone wondering about the background to this move, you could start with the Wikipedia article" [wikipedia.org]

Re:

[Free the Cowards (1280296)]

Did I miss the part where it explained how the terrorists in question used open wifi as part of their attacks, or are you just saying that it's another case of government using terrorism as an excuse to crack down on something?

sounds hard to enforce

[poetmatt (793785)]

beyond this sounding odd from a US-perspective (even though this isn't a US thing), would this even be enforceable? I mean can you really force someone to not be able to just hid their SSID or mac filter or something?

I do understand that it would set a legal precedent over there, etc...but still.

Re:

[tepples (727027)]

I mean can you really force someone to not be able to just hid their SSID or mac filter or something?

Anyone can crack the 26-digit WEP key in minutes [theinquirer.net]. From there, you can pick up SSIDs from association requests [wi-fiplanet.com] and snoop on the MAC that sends and receives each packet. Still, the use of WEP, hidden SSIDs, and MAC filtering keeps casual leeches out and establishes an attacker's intent [wikipedia.org] to enter the network.

Re:

[poetmatt (793785)]

Well yes, you and I understand that, but I didn't think it was necessary to mention that all forms of protection are useless if someone intends to gain access to the router.

However, my question remained as to whether you can truly control whether someone can provide open access or not.

Re:

[oldspewey (1303305)]

One of the greatest strengths about the internet is how easy it is to remain anonymous and that's a feature, not a bug.

If TFA had been about spam rather than a crackdown on terrorism, would you still make the same statement?

Re:

[Spatial (1235392)]

It could just as easily be abject stupidity or ignorance on the part of policy makers; the typical practise of taking action with no regard as to its effectiveness.

Re:

[bendodge (998616)]

Just wait. IPv6 will make this much easier to enact. Much as I like IPv6 over 4, it has some very scary privacy implications.