I have been involved in the effort to improve regulation of WiFi equipment for a while. The FCC has proposed new regulation in the US that would results in WiFi devices being even more locked down than they are currently. A new EU directive on radio equipment could have the same effect.
This is bad because locked down devices mean that they can’t be updated to improve the behaviour or fix the often serious security holes that are all too common in these devices. I plan to follow up this post with another that goes into more detail with why this development is so worrisome, and what should be done instead. However, this post will focus on what exactly is going on in Europe. It is based on a mailing list post of mine from last week.
The new EU directive
The directive pertaining to radio equipment certification is Directive 2014/53/EU which was passed last year, and needs to be implemented by member states by June 2016. The directive is an update of the previous directive from 1999, and is, as far as I can tell, a fairly routine update. However, there is some new language is problematic, in particular article 3.3.
Article 3.3 of the directive has a set of extra requirements that are applicable to some types of radio equipment. The power to specify which types of equipment is covered by which of these points is delegated to the European Commission in accordance with article 44 of the directive.
It appears that the previous legislation has defined two classes of radio equipment:
Class 1, which has no restrictions and includes the 2.4Ghz band as well as the 5Ghz band from 5.47-5.725 Ghz.
Class 2, with more restrictions, which includes frequencies from 5.15-5.35 Ghz. Presumably these classifications will be kept going forward. However, how it pertains to the different requirements in article 3.3 of the new directive I don’t know. And I’m not sure that has actually been defined yet.
The requirements for certified equipment
The points of article 3.3 are potentially both good and bad. The problematic one for the firmware issue is this one:
”(i) radio equipment supports certain features in order to ensure that software can only be loaded into the radio equipment where the compliance of the combination of the radio equipment and software has been demonstrated.”
Which can certainly be interpreted as a general lock-down requirement. There is an introductory recital that says, in relation to this:
“Verification by radio equipment of the compliance of its combination with software should not be abused in order to prevent its use with software provided by independent parties.” (point 19).
However, since this is not part of the directive proper, there is no guarantee that it will be carried over to the member state implementations. Or be adhered to at all, for that matter.
Of the other requirements in article 3.3 the following could arguably be leveraged to push for more openness:
”(d) radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service;”
”(e) radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected;“.
But again, it depends on the member state implementation.
Compliance and harmonised standards
Article 4 of the directive specifies that the manufacturer must document the compliance “of intended combinations of radio equipment and software” and that “the information shall precisely identify the radio equipment and the software which have been assessed”. Article 4 also refers to article 17, which in turn says that “Where the radio equipment is capable of taking different configurations, the conformity assessment shall confirm whether the radio equipment meets the essential requirements set out in Article 3 in all possible configurations.”
Article 16 of the directive says that there is (or will be) a set of “harmonised standards” which can be published in the “Official Journal of the European Union”. Any equipment in conformity with this harmonised standard is automatically presumed to be in conformance in all member states (overriding any member state rules as far as I can tell). What this means is that member states can potentially be more lenient when assessing equipment (in their interpretation of the problematic clause 3i for instance), but cannot prevent something that has been certified to comply with the harmonised standards from being marketed. So any mandate of openness (like that proposed in the CeroWrt letter to the FCC) would have to be at the EU-wide level as well as the member state level.
Member state implementations
Since the directive has already passed at the EU level, it now needs to be implemented by the member states. As mentioned above, the deadline for this is June 2016. How the members states actually implement the directive can have a large effect on how the problematic language will actually affect equipment.
I contacted the Swedish government to enquire about their plans for how to implement the directive into law. They referred me to an extensive memorandum (in Swedish) on their plans, which as it just so happens was in the hearing phase at the time. It basically says that the directive will be implemented in a way that delegates the assessment of compliance and the actual definition of which rules equipment needs to follow to the government agency regulating telecommunications (“Post- och telestyrelsen”). The reasoning is that the actual requirements are both liable to change (by decisions made by the European Commission) and too technical and detailed to be in the law.
The introductory recital (19) was not carried over to the government memorandum. My university has submitted a hearing response that points out this omission, and asks that the ability to replace device firmware be stressed in the law comments so as to be carried over to the actual regulation.
Update: The press release accompanying the submission has now been released (it’s in Swedish).
The only public statement I have come across regarding this issue is this blog post, also linked above. That includes a call to action (which I took inspiration from to start collecting all this info) and an email address to forward information to. I CC’ed the original email (which this blog post is based upon) to that address, and got a reply from Sebastian Raible who is Parliamentary Assistant to MEP Julia Reda (the owner of the blog linked above). He confirmed that the above summary is a reasonable representation of the issues in the directive.
Where do we go from here?
It would appear that (extrapolating from the Swedish case, and mirroring Julia’s blog post linked above) that in the short term, the main thing to do is try to get hold of the national government agencies implementing the rules, and push for a reasonable implementation. Longer term, using the momentum from the campaign against the FCC to actually get better regulation on the EU level would of course be desirable.
I have not managed to find any coordinated effort to affect things at the EU level, but will look harder. And, as I mentioned above, I plan to follow up this post with one explaining why this is so important.
Stay tuned! :)
Update: The follow-up post is here.