From sef1@westchestergov.com Mon Nov 7 13:04:41 2005 Date: Mon, 7 Nov 2005 12:49:34 -0500 From: "Fernqvist, Scott" Subject: Wi-Fi Security Legislation Dear Ryan, Thank you for sharing your thoughts on the recently introduced Wi-Fi legislation. The County Executive asked me to get back to you to clarify a few important points about this proposal. There appears to be a good deal of misinformation with respect to the legislation that we would like to address. Despite the claims of some people, the legislation does not seek to ban the use of Wi-Fi. Rather, it is designed to get commercial businesses which collect personal information or who offer their customer's Internet service to install minimum safeguards. The legislation does not criminalize the use of Wi-Fi, require businesses to pay service or licensing fees and the legislation does not cover the use of private wireless service at home. The legislation is primarily aimed at raising public awareness to get commercial businesses to better protect the personal information of their customers and to advise people who use the Internet in public access areas of the risks involved with Wi-Fi. We anticipate that the business community, many of whom are entirely unaware of this problem, will do the right thing and take the necessary precautions to safeguard their databases. Ever-evolving wireless communication technology has been a boon to Internet use and mobility, but it has also raised concerns about the security of personal information such as social security numbers, credit card and bank account information. One of the fastest growing areas in this regard is wireless fidelity or "Wi-Fi" which offers wireless Internet access. The Wi-Fi trend has caught on and there are a growing number of large and small commercial businesses using Wi-Fi networks internally or offering wireless connectivity to the public, colloquially known as "Internet cafes" or "hotspots". These Wi-Fi "hotspots" unfortunately offer an increased opportunity for identity thieves to prey on Internet users who might otherwise believe their personal information is secure. It is not only the individual Wi-Fi user who is at risk of identity theft. Identity theft may also occur when a retail business offering Wi-Fi also utilizes the same network to conduct its day-to-day internal business. This practice could place a customer, who has given confidential information to that business, at risk for identity theft if the appropriate security measures, such as installing a firewall, were not taken. A series of recent reports in the news has shown an increase in the rise of drive-by hacking, where thieves singled out stores with strong wireless signals and weakly protected data. Using a laptop computer outfitted with an off-the-shelf wireless card, the thieves were able to pick up signal around the store and use them to gain access to its computer systems. According to a July 26, 2005 New York Times article titled "Main Street in the Cross Hairs," for more than a month hackers "robbed" the same shops again and again of premium credit card account numbers stored in their databases. This is not an isolated instance and studies have shown that approximately one-third of businesses with wireless networks are open to abuse from hackers and criminals in the street. We encourage you to visit Westchester County's website www.westchestergov.com and read the legislation for yourself to better understand its purpose, what it intends to do and to whom it covers. Thank you. Andrew F. Neuman Office of the County Executive