According to network security provider GFI, an Acceptable Use Policy should successfully define which network systems the policy covers; explicitly prohibit illicit behavior, distribution, and communications; establish privacy guidelines; and provide a clear description of the risks associated with noncompliance. Private Internet AUPs include corporations setting the standards for their employees, educational institutions enforcing appropriate behavior among students, and governmental organizations ensuring security and confidentiality. A public Acceptable Use Policy template, however, offers a unique set of challenges due to the open and accessible nature of public Internet, such as open-access WiFi Networks.
Growth of public WiFi
The Wireless Broadband Alliance (WBA) published the results of extensive research into the growth of public WiFi in their 2013 paper Global Trends in Public WiFi. Corporate and broadband confidence levels with regard to investing in public WiFi increased 20% between 2012 and 2013. The WBA predicts “overall data traffic will increase 12 times between 2013 and 2018”, with even higher rates predicted for mobile data traffic. The general public is increasingly using public WiFi for services such as high-speed gaming and video conferencing. Although today’s organizations often restrict excessive use of resources (including bandwidth), even public WiFi guests will continue to expect higher speeds and minimal latency. Those who offer public WiFi (for instance, businesses and public organizations) are attempting to meet demands for quality of service rather than restrict (and potentially alienate) visitors. Increased mobility means that “always-on broadband connectivity becomes vital to many ways of living and working.” The ubiquity of public WiFi has become so prevalent that mobile providers now offer their own networks of public WiFi in order to encourage customer retention. Residential areas are increasingly providing community hotspots, or “homespots,” as individuals require seamless and ubiquitous wireless Internet access. However, the rise in public WiFi usage is also raising security concerns. Public WiFi is inherently open to security threats. Those who use do so with the premise that their every activity is visible to a third party connecting to the same hot spot. WiFi providers, as a result, need to follow an updated acceptable use policy template to ensure security from their side.
Drafting an acceptable use policy template for public WiFi networks
Producers of monitoring software SpectorSoft outline the key points to keep in mind when drafting a contemporary AUP in their white paper Bringing Your Acceptable Use Policy Up to 2013 Standards. A policy should be clear and easy to implement, avoiding language that is open to interpretation such as “reasonable” and “appropriate.” The AUP must be enforceable and may involve a third-party monitoring system. Policies must describe the areas of responsibility for all involved parties (including both the general public as well as the organization, individual, or business providing wireless Internet access). In light of rapid changes in the cybersecurity world and with technology at large, it is essential for an AUP to have the flexibility to adapt to changes in infrastructure and security threats. This includes regular reassessments of the AUP to prevent it from becoming outdated. Although it is important to implement an accessible use policy as soon as possible, the white paper recommends assessing general Internet activity for a brief period of time in order to correctly gauge the scope of public Internet behavior. This will assure a more tailored and ultimately more effective AUP. When personalizing other acceptable use policy templates, it will be necessary to include a lawyer who is familiar with local and regional regulations (EPB Fiber Optics goes so far as to explicitly inform the reader that their Acceptable Use Policy is not an appropriate stand-in for official legal counsel). According to wireless/networking expert Bradley Mitchell, “the best AUPs incorporate ‘what if’ scenarios that illustrate the usefulness of the policy in real-world terms.” The policies of major organizations also tend to preclude prohibited behavior with a more positive list of best practices. These include the respect for privacy, adherence to local and regional laws, and (if applicable) courtesy in regards to security and functionality of public computers. This sets the foundation of the more specific guidelines to follow and gives the reader an idea of what to expect.
Examples of common AUP topics
If there is a time limit (this is common in public waiting spaces such as airports and train stations), specifically state how long the user will have access and the amount of time until the user may reconnect. In the case of monitoring software, clearly explain what level of privacy individuals can expect while accessing public wireless Internet. Topics typically fall into categories of computer security, legal prohibitions, and universal standards of network etiquette. The security component of an AUP should discuss the transmission of private and sensitive data and effective password management (when applicable). Providers should prohibit users from using the public WiFi to spam, distribute malware, or forge headers. Some organizations extend the spam prohibition to include any distribution of unsolicited advertising. Users should also be banned from attempting unauthorized entry into private systems (“hacking”), both within and outside the systems of the host organization. The AUP should prohibit the use of software or applications that actively assist in circumventing policy guidelines. In general, downloads should be addressed according to regional laws, the host organization’s own network resources, and any location-specific security concerns (for instance, those offering public computers often wish to avoid installation of malware and may require authorization before all downloads). Depending on the environment, those who use a public space to access pornographic or obscene material may be accused of creating a hostile environment for others in the surrounding space. If certain websites are blacklisted from the public service, the AUP should also explicitly prohibit all attempts to circumvent filtering measures. Organizations often warn users against violations of local and regional law, but some universal legal examples include using public WiFi for purposes of theft, fraud, or accessing illicit material. Commonly enforced standards of network etiquette include prohibition of the use of public WiFi to harass, threaten, or intimidate others. If possible, the organization may consider past instances of public network abuse and use those scenarios when writing up a policy. Those who are drafting their first Acceptable Use Policy have the advantage of several online templates to use as models. An AUP that is specific to the organization’s expected clientele is likely to be the most effective. It is therefore helpful to seek other policies from a similar industry (for instance, a public library, educational institution, or local business). Some city- and industry-specific examples include: municipal public WiFi in Fairfield, Ohio; business public WiFi at Peet’s Coffee & Tea; county public WiFi at the Indianapolis Public Library. The AUP should be sure to provide a point of contact should the user have questions or concerns, and may reserve the right to contact users or suspend privileges at the organization’s discretion. The American Library Association recommends Acceptable Use Policies contain disclaimers, informing all users that the organization is not responsible for Internet content or harm to the user’s device while using public WiFi.
Risks associated with noncompliance
As previously stated, the policy should first outline any and all monitoring and enforcement techniques. Typically, this is where the AUP will state that users may be subject to loss of access privileges. Depending on the context of the organization, it may also be appropriate to specify a time frame until the individual may request renewed access. Users found using public WiFi to conduct illicit activity may be subject to civil and criminal prosecution according to local laws. When applicable, an AUP may outline the different noncompliance penalties if the organization’s public WiFi will be accessed by different user categories. For instance, while a business patron may simply lose WiFi privileges, an employee of that same business may suffer additional work-related penalties for violating the policy. The policy should also directly state whether noncompliance may result in removal from the premises or denial of other services the organization may offer. With the use of public WiFi expected to increase exponentially in the next four to five years, patrons, business customers, and organizational members will all come to expect and appreciate reliable access to public wireless Internet service. Unfortunately, as access increases, so too does the potential for harm via malicious attacks and unintentional misuse.
Conclusion
Following a clear, detailed, and adaptable Acceptable Use Policy template is the first line of defense between an organization and the security risks associated with public WiFi access. Depending on the context of the WiFi service provider and the needs of the general public, those drafting an AUP should consult their organization’s IT department and security professionals, as well as seeking the appropriate legal counsel. An effective AUP template will involve feedback from the entire community and will take into consideration the particular challenges, scenarios, and needs of each individual provider.