Unhappy with Wi-Fi hotspot insecurity? Fight for your rights!

I’ve received number of interesting e-mails from my readers in relation to the Wi-Fi Hotspots in Jakarta – Hacker’s playground article. One of the often repeated subjects in e-mails was the terms and conditions of hotspot service set by local ISPs. Someone pointed out that one of the Indonesian ISPs obligates users to accept the fact that the hotspot service is insecure. The following clauses in the terms and conditions of service were attached in e-mail:

English version:

2. Due to security reasons, Customers are advise not to use Hotspot for electronic transaction or other confidential information.

4. Hereby the Customer understands and aware of any risk on using Hotspot, therefore Customer releases CBN for any loss or responsibility due to such risk.

Indonesian version:

2. Karena alasan keamanan, Pelanggan tidak dianjurkan menggunakan fasilitas Hotspot untuk melakukan transaksi keuangan atau informasi rahasia lainnya.

4. Pelanggan dengan ini memahami segala resiko atas penggunaan atau ketidaksanggupan layanan yang disediakan, untuk itu Pelanggan bersedia membebaskan CBN dari segala tuntutan ganti rugi maupun tanggung jawab yang timbul akibat resiko sebagaimana telah dijelaskan.

I verified correctness of this information and as you can see on the screenshot below, the CBN Hotspot Terms of Service indeed include such clauses:

When reading these terms and conditions set by CBN, several question arise. First of all, what happens if I use the insecure hotspot service to receive my e-mail and some hacker benefiting on lack of encryption of wireless data and captures my e-mail password and reads my confidential data? The terms of service do not mention anything about lack of encryption of service, it only states Customer understands and aware of any risk on using Hotspot, therefore Customer releases CBN for any loss or responsibility due to such risk, plus the article about on-line banking and confidential information. I don’t know how about my readers, but “any risk” sounds very much broad to me. If presumably there is a problem with billing on the hotspot and the consumer bill for use of the service increase to a very high amount, is it also included in any risk? I say there is some risk of damage to my wireless card, thus how about if my wireless card gets damaged due to malfunction of wireless hotspot? Is it also within any risk? Stating that company is not responsible for any risk sounds totally crazy to me.

I couldn’t believe that offering a commercial telecommunication service to consumers with such terms is legal. Unfortunately, I can not answer this question myself as my understanding of Indonesian law is very blurry. I also don’t have a license of an Indonesian lawyer allowing me to provide any legal opinion, so to clarify everything I decided to seek opinion of experts in consumer protection and telecommunication laws. My choice was REM Asia Pacific & Co. law firm as they got one of the best legal experts in both telecommunication and consumer protection laws, which perfectly fits my need.

The opinion of REM Asia Pacific’s Partner, Reno Iskandarsyah, is as follow:

Is it legal? The answer is, No! In Indonesia we have the Consumer Protection Act No.8/1999, which provides protection against bad behaviour, unfair treatment by enterprises (company), and rules the equal right and obligation between consumer and the company. The term Consumer shall mean as every person using goods or services for their own need, their family, relatives, or mankind not to sell or get benefit from the goods or services. The term company is defined as every person, institution, company, who sell, produce or provide goods or services to the consumers.

The Terms and Conditions given by CBN, is categorized as “standard clause”. It contains the rights of CBN (as service provider) and the obligations of consumer (as subscriber). However, as obviously noticed, the positions of the service provider and the subscriber are not equal in CBN case. A service provider shall not simply leave an option to its subscriber, i.e.: if you disagree with the terms, you can leave CBN and no longer using their network, if the terms are acceptable to you, you may continue using the network, but, when the network disturbance occures, CBN shall not be responsible for any loss incurred.

Under Article 4 Act No.8/1999 consumer has the right to enjoy comfort, protection, safety, while using or consuming goods or services, and she/he has a right to be compensated for any malfunction. Additionally, Article 7 obliged the service provider to provide the service in good faith, in truth (regarding giving information about the service), honesty, non- discrimination, as well as giving warranty for the standard quality of the service or goods.

The issue of “standard clause” in CBN Terms and Conditions, basically in breach of Article 18. Under this article, a company may not or not allowed to create a standard clause in every documents nor terms and conditions regarding:

a. assignment of liability of the company;

b. consumer is abide by the amendment to the standard clauses made by the company during the utilization or consumption of the purchased service or good.

A breach of this article will be subject to a crime sanction of 5 (five) years in jail or the penalty of Rp. 2,000,000,000 (IDR Two Billion, ~US$210,000).

Clearly, in Indonesia consumers are being protected by the law. You can fight for your rights and can file a complaint about the terms and conditions that were given by CBN. CBN must protect their network from any disturbance, hackers and malfunction, and can’t handover their liability to their customers. If CBN remain silent on this, then the consumers shall have the right to file a claim for compensation or the worse would be to lodge a legal suit.

Frankly, I feel completely stunned with this answer! Considering the simple fact that Reno was a lawyer for the Indonesian Consumers Foundation (YLKI), this becomes a serious issue.

I’ve also asked Rakhmayanti Esther Makainas – well known expert in telecommunication law – for her comment on this matter. Here it goes:

In Indonesia, the service provided by CBN or similar provider is governed under Telecommunication Act No.36/1999; Government Regulation No.52/2000; Minister of Communication Decree No.21/2001, as what is defined as Multimedia Service Provider or particularly an Internet Service Provider. In principal, a service provider is obliged to ensure the quality of the provided services. Even further, under Article 68 of that Government Regulation No.52/2000, a Service Provider shall be liable for any loss incurred by any parties due to such negligence or failure made by the Service Provider. Imagine if someone captured your company’s confidential documents/information while you were using Internet service at the hotspot due to the lack of security, which relates to the quality of service.

After reading opinion of two highly qualified lawyers, I think you already know what to do in case of problems with your ISP.

From the technical point of view, I clearly understand that providing insecure, unencrypted wireless Internet access service creates a great risk to the consumer. It doesn't take much hacking skills to sit down at a café with hotspot and begin intercepting and reading all the unencrypted wireless transmissions passing through the air. There are number of ways to secure public wireless hotspot and it seems that ISP simply doesn't bother to implement it. It also does not involve high cost, as the wireless service can be effectively secured with a simple solution.

FYI in Europe, before any product is accepted for use at a telecommunication company, it is first being tested by group of security experts at company’s research department. The product will not be used by the company if there is no positive security approval from the research department. Unfortunately, it is not the case in Indonesia. I’ve never heard of any research department in a local telecommunication company and vendor products is installed without any independent testing, which often results in serious insecurities of telecommunication networks. For instance many products that haven’t received positive security approval from European telecoms are often being used in Indonesia.

I'd like to end this article with a quotation from CBN's web-site expressing the vision of the company:

As the leader among Internet Service Providers in Indonesia, CBN is working for a recognition as“The Brand You can Trust”.

Trust?! I leave comment on that to the growing number of readers of my Blog.

PS: If you are frustrated with service offered by your ISP, drop me an e-mail.