Minneapolis wireless ISP charges users for free Wi-Fi hotspots

A disaster that was waiting to happen. It has been reported that US Internet charged the credit cards of users of its free Wi-Fi hotspots, accidentally they say. US Internet says it did not charge the credit cards of free WiFi hotpots users and that it had only sent out invoices. Moreover, USI claims it alerted customers to the problem and corrected it promptly (also says original Fox News article is inaccurate).

US Internet also claims that federal law requires it to use credit card information to authenticate users on its network, however, I have not been able to find the specific regulation. If someone has the citation to the federal law in question, please post below in the comments box.

Of course there are other ways to authenticate users, for example, via their Facebook or Twitter accounts. This is what a lot of services already use although I used many free Wi-Fi hotspots (airports, hotels, cafes, downtown Wi-Fi hotzones, restaurants, conferences and more) and have never been asked for credit card information or even my Twitter/Facebook id. US Internet’s policy needlessly collected sensitive information and discriminates against people without credit cards (young people, the poor). I am against this policy. Furthermore, by collecting credit card information unnecessarily, US Internet makes itself a juicy target for hackers. I would NEVER send any credit card information to US Internet. You have all been warned!

Ultimately the Minneapolis city council and municipal government are responsible for the actions of its wireless ISP since they hired US Internet to deploy and run the network. Shame on the local government for letting this ISP get away with this rubbish. US Internet is now scheduled to roll out the citywide Wi-Fi network in Riverside, California. Let’s see if they do the same there.

Read my earlier post: How Odd You Need a Credit Card to Access Free Wi-Fi in Minneapolis

Comments

  1. The federal regulations they are referring to is the requirement that ISPs are CALEA compliant. While the full implementation of CALEA is quite fuzzy it does seem to require that you have the ability to log all of your end-users activity and have a knowledge of who that end-user actually is. Unfortunately anyone can create a fake facebook, twitter, google, or openauth account, so it’s not a valid means of authenticating a user. For that matter, you can go out and buy a VISA gift card to authenticate your account with, so I’m not sure the method they’re using is rock-solid, but certainly more reliable than a facebook or twitter account. While I don’t agree with the law or the need to follow it, USI is just trying to follow the rules. You can’t really hold that against them. For the record, I have no affiliation or interest in the company nor their success.

  2. Tyler,

    Haven’t you heard of stolen credit cards? You can also impersonate someone else by using a stolen card. As you say, CALEA is fuzzy so using credit cards to authenticate people is one of the worst things to do especially since you make your servers a very attractive target for people who want to steal credit card information.

    You excuse USI’s behaviour by saying they are only trying to follow the rules. But they don’t even know what the rules are! They spout off nonsense like federal law requiring credit cards to authenticate people. That is total BS. Check out what their CEO said in a comment to my previous article. Same rubbish about needing credit cards.

  3. We did not charge anyone’s credit card, this is information is 100% false.

    We are open to other ideas to maintain CALEA compliance, if you have another option we are all ears.

    Thanks.

    Travis Carter
    VP Technology
    US Internet Corp

  4. Appears I can’t edit posts, should read;

    We did not charge anyone’s credit card, this information is 100% false.

    Thanks.

  5. Travis,

    Don’t you know how WordPress powered sites work? You post your comments, we approve them and that’s it. So post away.

    What’s your problem? What is false? Your nefarious business practices? The fact that you require people to put in sensitive credit card information for a FREE service? Not only do you make it very unsafe for everybody by making your servers a perfect target for hackers, but you are exposing your company to liability for stolen credit card information. I strongly suggest having another deep conversation with your lawyers as to your exposure to liability.

    By the way, enough sites out there authenticate using info OTHER than credit card information. And don’t give me this crap about federal law. Until you send me the EXACT federal statute that says you are required to use credit card information, I do NOT believe you.

    I hope your company isn’t going to foist this on Riverside, California,

  6. M. Ferguson says

    Travis,

    May I suggest using oAuth for authentication.

  7. False is, we did not charge anyone’s credit card, your articles states “US Internet charged the credit cards”. This is incorrect. Appears you just spout off before checking the facts, did you speak with anyone at USI about this issue or just read the local press report, btw, was incorrect.

    M. Ferguson, thanks for the suggestion, I’ll take a look into oAuth.

  8. Please read the full sentence carefully again: “it has been reported that US Internet has charged the credit cards …”

    That is correct. Fox did report it.

  9. Travis,

    You have never heard of oAth? Now I am really scared. As a person who works in tech and specifically online access, you should have known of it by now. It has been around for years!

    Aren’t you curious about how airports with free wifi log in people? I have never entered my credit card details for their free wifi service.

  10. Fox was incorrect with the facts, this website is incorrect with the facts, even underlining in red, “US Internet charged the credit cards”.

    If you want to actually report the story correctly we are happy to speak with you about it.

    If you want to rationally discuss the current policy on free wifi access in the city of Minneapolis, we are happy to discuss it.

    We can and often do change the policies at our company, there is no reason to think that if we can find a solution that meets the needs of the city, law enforcement, and the community we would be happy to deploy it. You think we want to collect credit card information from people? We are following the recommendations of law enforcement in our community.

  11. As I have never been on this site prior to seeing Esme Vos’s name on our local television stations website.

    Esme, what muniwifi network do you run? I would love to travel to see how you have deployed your network and how your operations work.

    How many users do you have currently on your network?

    Do you offer free wifi access? If so, how do you provide coverage for CALEA?

    How do you do automated billing, tech support, and general customer service?

    Do you offer on-site assistance for customers to get the maximum experience out of your network?

    How many people do you employ?

    Are you profitable? Do you have a charity you donate a portion of your profits too?

    I really look forward to an opportunity to visit your network and see if we can improve ours.

    Thanks.

    -Travis

  12. No, of course you’ve never heard of MuniWireless, like you’ve never heard of oAuth.

    You’ve never been to our conferences, never seen the RFPs we’ve posted for cities and counties, and never attended our Minneapolis conference. You’ve also never seen our reports and our quarterly magazine. It’s because we’ve only been around since 2003.

  13. Travis is correct that he needs to maintain some type of credentials to maintain CALEA compliance. U.S. Internet could get shut down simply by a lawsuit with the RIAA if someone is downloading copyrighted material. The question is what type of credentials do you use? Credit cards are the easiest to use since it comes with the ability to authenticate the user. As a WISP operator, there is no way to run an open WiFi internet as the criminal activity would be all over it.

    For example, in a 2500 room hotel we ran, it was very common for roaming spammers to come into a room with several computers. As soon as we saw that, we had security go up and throw them out. In one case, they abandoned several computers. There has to be some control and audit of the traffic for federal law and common sense. I have to side with U.S. Internet on this one but it would be nice to have another option with less security risk to the user.

  14. Thousands of hotels, cafes, airports, marinas, conferences, restaurants, offices, motels, gyms, bars, parks, and squares offer free wifi without asking for credit card information, or Facebook/twitter account names or any kind of personal information.

  15. If this is an important and long standing resource for MuniWifi issues I would like to hear from other operators on how they have solved the technical issues related to open Wifi nodes.

    We have been around since 1995, and to date run one of the most successful MuniWifi networks in the country with over 18,000 users.

    Esme, do you actually run a MuniWifi system?

  16. Which are in violation of CALEA. This is the same as driving withour car insurance. If you never get in an accident, then you are fine. Until someone uses your connection for illegal or criminal activity, even just doing bittorrent downloads for example, you are now the responsible party that this gets traced back to. At minimum, it becomes a hassle. At worse, you better have a lawyer for either the criminal or civil case coming your way.

    Most of the venues are also smaller and temporary meaning less chance of a problem. It would be naive to think that nobody across an entire city is going to do some criminal across the system.

  17. Actually USI runs the only large scale muni Wifi system in the US and is the only operator to do it successfully. Whenever anyone asks me to point to a successful muni wifi network, I point them to Minneapolis.

  18. we are going to have to disagree on this until someone comes up with a better idea. I have to agree with Travis. I will think about it though. Maybe a location triangulation along with MAC address for example with the user then entering the information. If it’s grossly off, lock out the MAC forever and then use the credit card for backup. I don’t know the legal ramifications or process but maybe compare it to the State drivers license or state ID system. Just a couple of thoughts.

  19. Travis Carter said: “Are you profitable? Do you have a charity you donate a portion of your profits too?”

    I’m a member of the Digital Inclusion Fund Advisory Committee in Minneapolis which is the “charity” Travis is referring to. Unfortunately, after an initial contractual (community benefit) funding of $500,000 to the fund, there is currently no word on any more monies forthcoming in the foreseeable future. We already took one year off from grantmaking to conserve funds and will soon be giving out our last $100,000.

    If you are making a profit at USIW, Travis, we would certainly like to see some of that money in the Digital Inclusion Fund. (It’s also required by the contract.)

    Shifting notes a bit, here’s a PR video from the City of Minneapolis on the free hotspots. No mention of credit cards.

  20. Brian Converse says

    I wonder if these kids have credit cards?

    While I agree credit cards are not an ideal way of authenticating users, the concerns are real figuring out compliance.

  21. I live in Riverside CA. Recently I’ve seen the “ATTMETOWIFI” turn into just “SmartRiverside”. Today I’m getting both SSID’s, ATTMETO(both free & paid) and Smartriverside. I have not had to input my credit card information as of yet. I am an AT&T DSL subscriber so I received full access to the old setup, but I’ve had more connection success with the “SmartRiverside” SSID, which only requires an E-mail to get access.

    As for the credit card issue, my question is after verification via credit card does U.S Internet keep them on file? If the credit card is used to verify identity then it should not be kept on file. Name/Address from the card should be the only thing on file after verification. If at any point re-verification is needed the same thing should occur.

    Also why not use State drivers licence/Identification number? This is the method used for Cellular providers to confirm identity. even “children or the poor” can obtain a State ID.