On Mon, 2007-08-06 at 15:58 +0100, Matthew Holland wrote:

What record-keeping responsibilities does a business running a WiFi hotspot for its customers have? They're effectively acting as an ISP, but if they're not keeping proper logs then 'customers' could perpetrate computer crime and be traceable only as far as the business's internet connection (for which they are responsible, of course).

This is a really good question. I have a range of clients who provide "public" wireless broadband access for customers. These range from those that just have a standard access point with no security to those who have specialist equipment that issues short term passes.

This question has popped up in all cases.

My current understanding is that in the event "something" happens on a given connection the wost that will happen is that all computers owned by the authoritative "owner" of said connection will be considered for forensic analysis and if nothing is found that supports the "crime" detected on the line then the problem is assumed to be a unidentifiable third party.

I mean in the event of say providing wireless broadband to customers of a coffee shop what in all honesty are logs going to give you ? If you take payment for connection you might possibly in some cases have a card number (or if it is a payment gateway type service like openzone) , but in the majority of cases we are probably dealing with either a service provided gratis to paying customers or something where a cash payment is taken. So then you have an easily spoofed MAC address that is not one of the machines on site *at that time* and that is pretty much it.

Of course the other thing worth considering is that the ISP may receive a complaint and shut the connection down for being in breach of the terms of service...or in some cases you may find that actually offering third parties access to your connection is a beach in itself.