A tough case in front of the Kreisgericht – something like a district court – in the city of Rorschach: A man who owns and operates a restaurant is accused of having downloaded child pornography on one of his computers. While this is illegal and the log files from the local network proved beyond a doubt that the child pornography did indeed transfer in that network, the case got rather interesting rather quickly.

Despite forensic analysis of any and all computers in the building with the full cooperation of the accused, the following things stood out.

• There was no child porn on any of the computers the 44 year-old man or his family owned
• Apart from the log files, there wasn’t any trace of the files
• The log files state without a doubt that the files were transferred during lunchtime

So the man got accused of using a rather old file sharing program called eMule to download and watch files. To obscure his traces, so claims the persecution, he had a program installed that deletes the files when he turned off the computer.

In the end, the man was deemed innocent by the courts because not only were there no traces of child pornography but also the program that deletes files when the computer shuts down wasn’t found. Furthermore, the defence argued, the man was always busy at lunchtime as his customers wanted food. So he would have no time to watch anything on any screen, let alone pornography.

How did these log files come to be? Simple. The accused offered his guests a free wireless LAN connection. It was password protected, he said, but the password was written on a little sign in the restaurant. So it could have been anyone in the building. In a restaurant that does well, there are quite some people. That was what the court concluded.

Guests have come to expect free WiFi over the past few years. This creates a number of problems, not all of which are related to pornography.

What the Restaurant’s LAN Looked Like

«This case is a bit of a special one», says Olav Humbel, District Judge who presided over the hearing. The man didn’t just offer his guests a WiFi-network, but also gave his guests access to a laptop and a PC that belonged to him. This is bad. Very bad. It got him into trouble and thus is definitely not a viable model of supplying guests with internet access.

Even with logging solutions, there are some ways to circumvent logging activity on the local machine and obfuscation of your own IP address. «There was talk of using TOR and other methods of camouflage», says Humbel.

First, let’s not even think about the notion that in the fictional restaurant we’ll use in this article might provide guests with access to computers that belong to the restaurant owners. Far more common is the method that gastronomes have a wireless network for their customers.

The solution would be easy: More Surveillance. Simply monitor the entire traffic on the network and assign unique identifiers to devices connected. But this is not what we are advocating because the law says that everyone is innocent until proven guilty. By employing larger-scale surveillance, we imply the opposite, that everyone is guilty until proven innocent.

Content Filtering

By far the easiest solution to make sure that your guests don’t go on any malicious or otherwise undesirable sites is by activating a content filter. There are many vendors that offer content filtering, each promising phenomenal results. McAfee clutters up a sentence with an amazing amount of buzzwords.

McAfee Next Generation Firewall deep inspection technology can be augmented with URL category-based filtering for HTTP traffic. With this feature, Next Generation Firewall protects users and businesses from the risk of exposure to inappropriate and malicious web content.

Most content filters operate on a blacklist approach. Not just URLs get filtered but also keywords on websites. Some filters can be configured, others can’t. Content filters are nowhere near as effective as one would like. There are many ways to circumvent them, some of them are as easy as shooting fish in a barrel. People who want to spread their illegal content will find ways to fool the software into thinking that the content being viewed is legal and clean.

All in all, while somewhat secure and not the worst idea in a public environment, content filters are highly likely to not deliver the level of security that is expected from a restaurant’s open and public WLAN.

Psychological Barriers

If the easy software solution of content filtering does not work, then maybe mind games will. In a bit of social engineering, users can be forced to sign in. The procedure is easy and every user has encountered it once in Starbucks or McDonalds or airports. Basically, this goes like this:

1. Connect to Wireless Network
2. Enter mobile phone number
3. Receive confirmation text message
4. Surf the net

That way, the users get tied to some form of unique identifier. Problem is that doesn’t work if the person brings their own laptop due to lack of text message features. And even if there’s no confirmation text message, people are likely to enter a valid phone number.

This method is also unreliable. Because just because someone entered their real phone number into a system does not mean that they will behave in your WiFi network. There are also the disposable online phone numbers that can be used to receive registration codes. To use those as a circumvention technique, users would require a phone that supports mobile data, though. Which is pretty much every phone these days.

The Safe Alternative: Shift the Blame

There’s a variation of this method. However, it has the pitfall of not being the best service you could give your clients: Have an Internet Service Provider install and run an access point in your restaurant. The result: you go scot free if people do illegal shenanigans in your network. It simply isn’t your network anymore. Problem solved.

On an ideological note: You will contribute to Big Data and massive statistical analysis. Whether or not this is an issue is entirely up to you.

Changing the Viewpoint

Until now, we’ve only tried to stop users. The problem we encountered is that human beings are amazingly creative when it comes to getting what they want. Let’s look at the person who downloaded the child porn in the case that saw the 44 year old man acquitted at the Rorschach district court.

• The culprit used an out-dated software that hasn’t been updated since 2010
• The culprit went to a public space to get his fix
• Some search terms used were deliberately made to obfuscate the real meaning of them such as replacing the letter O with the number 0.

It’s time to shift our perception of the problem. There’s no such thing as the complete censorship of illegal or generally undesired content. This is both tragic and amazing, considering the fact that people stay curious and inventive, albeit for all the wrong reasons.

Therefore, we can only make sure that we’re safe ourselves, that we can’t get into trouble. It is here that we, as fictional restaurant owners, need to stop thinking that we are working against our users and adapt a mentality that all restaurant users do with their food anyways: We give the guests what they want.

That doesn’t mean that we’re launching advertising campaigns with content along the lines of Free WiFi and 30GB of porn that is banned in twelve countries, but we need to think that we are – when all the chips are down – on the side of our clients preferably without getting into trouble ourselves. Think of serving internet as we serve guests fresh produce because they want a tasty thing and we don’t want the health inspectors down our throat because we sell rancid vegetables.

Securing our Network

Under that light, the solution becomes even easier. Now we suddenly have reduced our field of enemies by all but one. And that one enemy left is us. So let’s see that we can’t get harmed by anything our admittedly creative and cunning users can throw at us.

With ideal configuration and a bit of technological trickery, your network will be private and anonymous. However, depending on how lawyers and courts see this, you will still be punished. As an accessory because you are creating an environment that protects illegal activity. There are a number of safety precautions you can take, but none of them will protect you from the law.

So… No WiFi?

Running a public WLAN is risky business. As we’ve seen at the District Court of Rorschach it can get you in trouble. You can minimize the threat to yourself by both technological and legal means, but there’s still a remaining risk. To minimize the risk, sometimes there’s considerable effort involved.

The best solution is to get an external internet service provider into the public space you want your WiFi to be in. This doesn’t solve the problem but most likely will keep you out of jail. This creates a whole new set of problems if you subscribe to an ideology opposed to Big Data.

About the Author

Dominik Bärlocher has been working with IT subjects since 2006. The journalist relied on his affinity for all things IT during his tenures at news papers and benefited from it. At scip, he conducts OSINT researches and is an expert at information gathering.

Links

• http://en.starbucks.ch/coffeehouse/wireless-internet
• http://www.dailymail.co.uk/news/article-2690490/Service-time-restaurants-doubled-past-ten-years-customers-cell-phones-blame-claims-busy-NYC-restaurant.html
• http://www.emule-project.net/home/perl/news.cgi?l=1&cat_id=22
• http://www.mcafee.com/hk/products/network-security/next-generation-firewall-technologies/url-filtering.aspx
• http://www.mcdonalds.com/us/en/services/free_wifi.html
• http://www.zurich-airport.com/passengers-and-visitors/airport-services-en/internet-and-mobile-phone
• https://blog.torproject.org/running-exit-node
• https://www.torproject.org/