XIV. Miscellaneous Questions

Legal Obligations for logging Guest Internet Access

Guest Internet Access

Legal Obligations for logging Guest Internet Access

If you provide guest access to the Internet, for example WiFi in your coffee shop, the question of whether you are required to register, log or retain user data (identity or usage) is a complex area, not least because there is conflicting and continuously changing information.

Many organisations log the information, believing it to be required, others do not log it at all, or log only some of it (for example usage, but not identity). There are other commercial benefits to logging such information - for example, asking for people's email addresses also enabled you to ask if they wish to opt-in to email lists. We note that some providers make the receiving of marketing emails a mandatory requirement if you wish to use a facility's "free" WiFi service.

This area of logging users is an ever-evolving landscape, so what is valid at the time of writing might not be at the time of reading. Secondly, laws can be unclear, ambiguous or conflicting and so it's necessary to clearly state that this article represents our understanding but you should obtain professional legal advice before relying on anything here.

It's really difficult to give you a definitive answer on whether you are or are not required to log public Internet access, and one that even if valid today, is valid tomorrow or when you read this. For example, this article was first written in 2015, since when the European GDPR regulations came into force, which changed obligations, and arguably made them more complex.

Effectiveness and Purpose

The justification for these laws has been to combat terrorism and the most serious crime (the public would never have accepted this level of tracking/intrusion if it was just for trolls or mischief makers). A technically capable perpertrator does have many options available to them to circumvent tracking or mask their activities (VPNs, dark nets, one-time email, SSL/TLS, untracked providers, PAYG cellular SIMs, unauthorised use of other's connectivity etc.) but presumably some are less sophisticated or don't care about being tracked after the event. People guilty of lower level crimes (piracy, trolling etc.) or whistleblowers are less likely to make the same effort to cover their tracks.

Relevant Legislation

Following is a list of the most common or relevant legislation we're aware of affecting this subject. As an ever changing landscape though, this is not to be taken as legal advice or comprehensive:

European General Data Protection Regulation (GDPR)

GDPR came into force in June 2018. This attempts to regularise many of the previous regulations and to increase data controllers' responsibility to look after, protect and use data subject's data accordingly. In respect of guest internet access, your obligations will include being clear to your users about what data you will collect, what its used for, how long its kept for, keeping it securely, notifying of breaches, allowing for corrections and providing user's own data recorded on demand. Where data is anonymised and not logged to a known person, this may not be required though our (non legal view) is that this is a minefield yet to be tested, as well as the crossover between previous and new legislation.

European Directive (2006/24/EC)

A European Directive (2006/24/EC) in 2006 mandated providers throughout Europe to retain customer data relating to electronic communication services. Data was required to be retained for between 6 and 24 months. Police and security agencies could then request that data from the service provider. The directive specifically cited combatting terrorism as a justification but journalists, medical professionals, IT security experts, scientists and various other groups objected to the legislation.

"Service Provider" itself is a very broad term and whilst it was assumed to include telcos and ISPs, could also include coffee shops, schools or anyone providing WiFi access. The data retained would include users' IP addresses, time of access and the time of every email, call and text message sent or received. In April 2014, the European Court of Justice annulled the directive, citing that it was undue interference with citizens privacy.

The Data Retention (EC Directive) Regulations 2009

This UK law was the UK passing into law the requirements of the European Directive, but as the directive was annulled, when asked, the UK government said that the law still applies, despite the European court ruling that such retention "breaches citizens' fundamental right to privacy" .

Digital Economy Act 2010 (DEA2010)

Part of this legislation relates to unlawful activity on your Internet connection and that you, as the owner/operator of the service may be considered the most likely or possible culprit of any unlawful activity. For that reason, in order to protect yourself if you do allow others or the public to use your systems, you may wish to keep records which could help show that you were not responsible. It is our opinion that simply showing that (for example) a pirate movie was downloaded via your IP address would be insufficient to convict you, especially if you can reasonably show that other people may use your connection. Even if the DEA doesn't catch you, this doesn't mean, as has happened in the past that copyright holders won't directly demand penalties directly under threat of legal proceedings, sometimes against entirely innocent people who, faced with being publicly accused of downloading (say) pornography, pay up. Certainly never leave a WiFi connection without a password, for many reasons, but in particular relation to this topic, to stop people using it without permission and if you offer guest access, consider blocking protocols which are mostly used for piracy or unlawful activities (torrents, Tor etc.).

Ofcom's "DEA Initial Obligations Code"

Augmenting the DEA2010 further, Ofcom have their own set of rules and warn consumers about the risks of letting other people use their connections. Ofcom's "three strikes" rule could cause suspension of your service if you repeatedly allow pirated materials to be downloaded through your connection, and ISPs are obligated to identify you to the copyright holders.

i.e. the copyright holder would normally only know your IP address; the ISP is required to identify you fully. The rules and obligations are different for businesses who are providing Internet access (or WiFi) as a service (for example a coffee shop) and such businesses would not be assumed to be the responsible party.

January 2004 Code of Practice (Voluntary Retention of Data)

This code of practice was a result of Part 11 of the Anti-terrorism, Crime & Security Act 2001. It is voluntary, not mandatory (at the time of writing).

Data Protection Act 1984

Under the DPA, the users who you actually store or retain the data, where they are identifiable, have a right to request that data from you (you may charge a reasonable fee).

So, that's a summary. Like we said, we can't give you a definitive answer which will stay valid as things evolve but you may be able to make a value judgement on what you should do or at least know where to look further. If in doubt, take formal qualified legal advice in your country. This is a UK article, so if you are reading this elsewhere, you laws and requirements will be different.