You hate AUPs, but you need one for guest Wi-Fi access

If you are a smart enterprise customer, you hate carrier "acceptable use policies" (AUPs). They have virtuous roots (avoiding liability for customer communications under the Digital Millennium Copyright Act) but have morphed into lengthy, (allegedly) non-negotiable, overly broad and one-sided "agreements" that make the customer responsible for all kinds of things for which it isn't really responsible and shield the carrier from responsibility for things for which it should be responsible.

It's all true. And you need one of your own.

HOW-TO: Improving network access security for unmanaged devices

For years visitors have asked to use your company's wireless Internet access without charge while on-site. You may have said "no," leaving a bad taste but protecting your company. You may have said "yes," but then had to spend time jumping through hoops (locating, assigning, giving and retrieving securID tokens). If that was too burdensome, you may simply have told guests the name of your company's wireless network and given them a password (as we've done in years past). That is much better received, but allowing others to use your Internet connection carries risks. Many of these can be mitigated, but only if proper controls -- and an AUP -- are in place.

The risks of providing Internet access to non-employees

Unless your company's primary business includes providing Internet access to others for a fee, you are purchasing Internet access from an ISP subject to the terms of a contract that incorporates the ISP's AUP. Although AUPs differ, all include lengthy lists of prohibitions on certain uses of the services, such as spamming, hacking, phishing, falsifying information, distributing copyrighted or protected materials without authorization, and otherwise infringing intellectual property rights.

Much of this doesn't sound bad, but the prohibitions are often so broadly written that sending an unsolicited email to your spouse is a violation. They include broad rights for the ISP to take down the services, in many cases without notice, if you or anyone that uses your Internet access service violates the AUP. They also make your company solely responsible for the security of its network and the information transmitted or received over the services, for security of any user accounts or passwords necessary to access the service, for content transmitted or received over the services for anyone that uses your Internet access. Finally, your company is solely responsible for all damages related to violations of the AUP by the company itself, by its employees, and by anyone that accesses the Internet through the services provided by the ISP.

The biggest operational risk is that the ISP takes down your Internet connectivity because of "bad conduct" by a guest. While companies know and trust their employees and can be reasonably comfortable that their use of the Internet will not involve (to an egregious degree) the types of activities prohibited by service provider AUPs, they can't have that same level of trust in visitors. (In truth, many security breaches are the work of insiders, but the risk of bad behavior is worse for visitors where the company has limited control.)

The financial risk you run by providing guests unfettered network access is tough to determine because it involves a number of sources: your ISP contract, federal laws (copyright, trademark, computer fraud, privacy) and state laws (defamation and other publication based torts, negligent failure to prevent hacking of other's networks or transmission of malware) -- and depends on whether your company's actions allow it to benefit from liability protections available under federal law, such as meeting the criteria for "safe harbor" protection under the Digital Millennium Copyright Act. Exploring all the statutes and doctrines that create risks, and all the ways to take advantage of certain liability protections available under federal law, is beyond the scope of this article, but it is key to reducing your company's financial exposure.

Mitigating operational and financial risk

You do not like exposure to operational and financial risk, but you want to provide Internet connectivity to visitors. To do that, you have to do what the ISPs have done -- create an AUP for visitor use of your Internet access. You are providing that access as a convenience and should be able to take it down for any reason with or without notice. You don't want visitor actions to violate your ISP's AUP so make guest use of your Internet access subject to the limitations, obligations and responsibilities in your ISP's AUP, spelling out prohibitions on use, password requirements, liability arising from anyone's use of the password given your visitor's failure to comply with your AUP, rights to monitor, copy and disclose content, email addresses and other materials gathered or related to the visitor's use of your Internet connection.

Your ability to enforce your AUP will depend on having processes in place to provide guest passwords and document visitor acceptance of the terms.

For long-term visitors, like consultants or vendors who are on-site for extended periods, include a provision in your core agreement obligating all consultant/vendor personnel to comply with your AUP and making their employers responsible for compliance, which provides better protection against financial risk. Maintaining this contract is easy; getting the consultant/vendor to agree may be a bit tougher (the alternative is to require the consultant/vendor to provide its employees with their own wireless Internet access). You also want to assign user-specific passwords to these individuals, which allows you to take down an individual violating your AUP (by deactivating his/her password) without disrupting use by others.

For short-term visitors, you need a simple, ongoing process to get agreement to your AUP. The process should (1) not provide Internet access until the visitor accepts the AUP, and (2) maintain the confidentiality of any and all passwords. Many companies do this by including a "splash" page with their AUP that creates an obligation to click "I accept" before connecting to the Internet. If this is your plan, you need to have a way to identify the individuals who accepted the terms to maintain appropriate records of their acceptance.

Other enterprises have the security desk require visitors seeking to use the company's Internet access to sign a printout of the current AUP, or have the security desk present a copy of the AUP and require visitors sign a box in the visitor log with their name and agreement to the AUP. The security desk is instructed not to provide the password until it has a visitor's signature.

If your employees (rather than the security desk) distribute the passwords, they should be reminded repeatedly not to do so until they receive a signed copy of your AUP. You then need a repository for the signed documents and instructions on how, when and where to submit them. This is burdensome and presents problems, but it's far better than having no process at all.

Regardless of which short-term visitor process is used, the terms of your AUP may be enforceable only against the individual and not the company he/she represents. That's not optimal, but it's much better than nothing.

Bottom line: It's a dangerous Internet world. You can't make it absolutely safe for your company, but you can limit/control some of the risks. And you should.

Boehling is a partner at Levine, Blaszak, Block & Boothby, LLP, a law firm that specializes in the representation of enterprise customers in connection with network services and IT agreements, disputes with carriers, and related regulatory matters. Information about the firm is available at www.lb3law.com.

Read more about anti-malware in Network World's Anti-malware section.

This story, "You hate AUPs, but you need one for guest Wi-Fi access" was originally published by Network World.

Related:

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
 
Shop Tech Products at Amazon