Open Wi-Fi May Become Illegal In India

chromoZ writes with word that because of the serial blasts in Indian cities (and terrorist outfits claiming responsibility via email, often sent via Cyber Cafes and open Wi-Fi spots), sharing unsecured wireless access may get much tougher in India: "The Telecom Regulatory Authority of India (TRAI) after studying open Wifi networks is coming up with a set of guidelines and recommendations to secure them. 'All ISPs may be instructed to ensure that their subscribers using wireless devices must use effective authentication mechanisms and permit access to internet to only authorised persons using wireless devices.' An open Wi-Fi could be as much as illegal in India after this."

Proxies

What about proxies or tunnels then?

mail box

Wont they use the mail box down the street?.

Solution: authorize everyone

All ISPs may be instructed to ensure that their subscribers using wireless devices must use effective authentication mechanisms and permit access to internet to only authorised persons using wireless devices.

Simple solution: authorize everyone with WiFi capability to access your network. The authentication is very strong, as anyone without WiFi capability will absolutely not be allowed to connect.

Re:

That fails the "authenticate" requirement. In fact, it completely ignores that authentication (clearly and accurately ascertaining the identity of the connection user) is intended to be a mandatory precondition to access.

By analogy (not a car analogy, sorry), if you operate a liquor store and your local jurisdiction imposes an age-verification requirement (authenticate purchaser's age) before you can make a sale of an intoxicating controlled beverage (authorize the transaction), your solution is to ignore t

Re:What are you supposed to authenticate?

With the drink, it's "authenticate how old they are."

With wifi, it's "authenticate who they are."

See, the parallel construction works just fine. It's not that much of a stretch.

Now, within the letter of this "law", you could still allow "anonymous" access:

WAP: "Who are you?"
User: "I'm A. Nony Mouse".
WAP, to himself: "Is 'A. Nony Mouse' allowed access? Since the authorized users list is the regular expression '.*', yes, he is authorized."
WAP: "Welcome, Mr. Mouse"

Perfect compliance with the stated guidelines. Note the absence of any requirement:

• to validate that an identity is genuine
• to log or retain the submitted identity
• to limit access in any fashion

Futility. It doesn't take that much cleverness to obey the guideline and still carry on as usual.

If the authorities are serious about stamping out WAP-based anonymity, they're gonna have to try harder.

Re:What are you supposed to authenticate?

With wifi, it's "authenticate who they are."

No, not really. With wifi you are not actually authenticating the identity of the person using the connection. Not unless you assign a police officer to stand guard next to every wifi NIC and check photo IDs. With wifi all you can hope to authenticate is the identity of the "user" - a mythical creature that exists only in the password file. This "user" is allowed to enter because he knows a secret handshake. But you still have no idea who he is.

Re:Solution: authorize everyone

Simple solution: authorize everyone with WiFi capability to access your network. The authentication is very strong, as anyone without WiFi capability will absolutely not be allowed to connect.

There's a problem there. TFS indicates that this is just a "set of guidelines and recommendations", but the title indicates that it's a potential law. If the law states that you must authorize people to use your network, it seems that they could hold you responsible for its misuse. So if somebody transmits terrorist instructions / P2Ps RIAA music / uploads kiddie porn (won't somebody think of the children!?!), they may drag you in. Even though you didn't commit the crime, you authorized somebody to use your equipment and helped facilitate the crime.

Of course, if I loan somebody my car and they run down their cheating GF, I'm probably safe unless they told me their intention ahead of time. But Internet laws are still so nebulous that the analogy may not carry over.

Re:Solution: authorize everyone

if I loan somebody my car and they run down their cheating GF, I'm probably safe unless they told me their intention ahead of time. But Internet laws are still so nebulous that the analogy may not carry over.

But it must! It's a car analogy!

Of course, this does nothing

to stop the attacks in the first place. Lots of other ways to claim responsibility for attacks. As usual, it just makes the common man a criminal...

Re:Of course, this does nothing

yea, this is quite idiotic.

terrorists don't carry out attacks because they have open wi-fi access. they simply use open wi-fi because it's available and convenient--the same reason everyone else uses it.

if they can't access the internet via open wi-fi they'll just use other anonymous channels. what is the Indian government going to do, eliminate public computer terminals at schools and libraries? ban proxy servers? or simply outlaw anonymity altogether?

it would be just as easy to claim responsibility for a terrorist act by leaving an anonymous note or spraying graffiti onto the side of a public building at night. should all Indian citizens have to get GPS implants?

Re:Of course, this does nothing

Quite true. Yet if India is anything like America, a thin layer of anti-terrorist wrapping paper is all that's needed to disguise even the most egregiously pro-corporate legislation. The telecoms want this change to reduce sharing of network connections, pure and simple.

What a pity

I recently toured Skandinavia. In every reasonably big city
(that means "more than 15 houses" over there), you can nearly
be sure to find some open access point. Of course, some of
those are cluess users using lousy default configs - but quite
a lot are deliberately open, with SSIDs like "welcome_to_stockholm".

One even ran a guestbook on the AP's port 80, accessible only
from the inside. Lots and lots of grateful people from all over
the world had left a message before mine :-)

That's the kind of culture I would like to see encouraged in
other places as well, not this "OMG terrorists" bullshit being
used as an excuse for more and more control in way too many
parts of the world.

Re:What a pity

That's the kind of culture I would like to see encouraged in
other places as well, not this "OMG terrorists" bullshit being
used as an excuse for more and more control in way too many
parts of the world.

Then vote for cultural homogeneity? There seldom seems to be OMG Terrorist! or repressive government problems when you have a homogeneous culture.

In places with highly diverse cultures, the tension and the government repression seem to get ratcheted up.

Re:What a pity

Scandinavia is the least religious place in the world explaining well the lack of violence. Compare that to homogeneous places in africa where violent crime is incredibly high. Or compare that to Canada where we are very multi-cultural but have fairly low rates of crime. A country being homogeneous will i think lower crime but it is NOT a major factor. The places history, culture and religious fervor seems to set the pace.

Re:What a pity

Then vote for cultural homogeneity? There seldom seems to be OMG Terrorist! or repressive government problems when you have a homogeneous culture.

That whole "cultural homogeneity" meme is just used as a dismissive tactic to avoid discussing the real reasons the Scandinavian cultures are so successful. Cultural homogeneiety is pretty prevalent in China, Russia, North Korea, Saudi Arabia, etc., just as much as in Denmark, Sweden, Norway, etc, yet those countries don't get any awards for being great places to live.

The difference is that the Scandinavian cultures are highly progressive. Education is free to all, and the government will actually pay the students to go to school, so you end up with citizens that are educated on the issues, smart enough to vote for much better government candidates, and don't fall for the "tricks" that less educated voters fall for. So -- surprise -- they don't end up with repressive govnerments. Surprise! The tax money that is generated actually goes to services that are useful to the people that pay them. The citizens get free health care, housing help, and many other services that keep their society, happy, relaxed, and stable.

In America, our education is hugely expensive, so many people don't get educated. You end up with ignorant voters --> corrupt politicians, deregulation, failing banks, and the current "socialism for the rich", complete with massive government bailouts, but only for rich investors.

In other countries, with even less educated voters, you end up with worse conditions. It's not a mystery.

Re:

I am surprised that India hasnt opted to carpet bomb Pakistan occupied Kashmir.

Pakistan has nukes, and Indians aren't stupid.

Re:

You know, I'm sick of this kind of reasoning. I grew up in the UK during the Northern Ireland troubles, and terrorist bombs were a fairly regular news item. I didn't know anyone who had been killed in one, but my mother only missed one because the tube she was on was delayed. And yet, in spite of the fact we had terrorists recruiting and training a narrow strip of water away, we didn't feel the need to give up freedoms or think 'what would terrorists do with this kind of situation' before doing anything.

Re:

seven years in to the stark reality posed by the threat of Islamic terrorism, I am surprised that India hasnt opted to carpet bomb Pakistan occupied Kashmir.

Seven years is the American viewpoint on that "stark reality" ... for Indians it's been a lot, lot longer.

How?

All ISPs may be instructed to ensure that their subscribers using wireless devices must use effective authentication mechanisms and permit access to internet to only authorised persons using wireless devices.

And just how are the ISPs supposed to be able to accomplish this? Are they going to have people wardriving all around India, sniffing out open wifi, then seeing if it traces back to one of their customers? Or is a strongly worded email sufficient?

Prepaid SIM cards in India ...

Of all the countries I've traveled, India is far and away the biggest pain in the ass to get hold of a simple prepaid SIM to stick in your cellphone. Even a little hole-in-the-wall shop wants you to fill out a detailed form, provide identification to be photocopied, provide a valid address while staying in India ... all because they don't want terrorists to be able to use throwaway phones for planning and coordination of attacks.

I'm not at all surprised to see this mindset being extended into other wireless communications

One thing to keep in mind - while America received their "wake up call" in September 2001, there are other nations like India that have been battling terrorism on home soil for several decades. It's worth paying close attention to what these other nations are doing today, if you want clues to what America might be doing tomorrow.

Re:Prepaid SIM cards in India ...

We were battling terrorism in the UK for decades, coming over from Ireland. Most of it was funded by the US. We pretty much ignored it - you'd get a short snipped on the news about it and then back to work. September 2001 was a wake-up call for our government too - they learned from the USA that they could use terrorism as a way of gaining more control over individual lives, rather than it just being a minor irritation.

That's a relief!

Traceroute tells me that it's 26 hops from me to the first computer in India I tried, and that looks like it's getting dangerously close to their default 30 hop max. Now, I don't know enough about network protocols to be sure of the best way to prune that route back if it grows to 27 hops, but I bet this new idea of singling out the guy running router number 26 and arresting him should work just fine. Clearly India's regulators know almost as much as I do about the Internets!

Background.

For anyone wondering about the background to this move, you could start with the Wikipedia article" [wikipedia.org]

Re:

It could just as easily be abject stupidity or ignorance on the part of policy makers; the typical practise of taking action with no regard as to its effectiveness.

Re:

Since when does disobeying "guidelines and recommendations" mean you are breaking the law?

The law in a given jurisdiction may condition safe-harbor provisions on compliance with "guidelines and recommendations". For example, the Online Copyright Infringement Liability Limitation Act, which has been law in the United States (home of Slashdot) for just shy of a decade, conditions a safe harbor for copyright infringement on a notice and takedown procedure.

Just set the ESSID to "You are authorized," then everyone using it is authorized.

But nobody is authenticated. The guideline appears to require both authentication and authorization.