Kathmandu, January 25

Due to the increase in the number of cyber crimes because of the rise in use of free public wi-fi service across the country, the Nepal Telecommunications Authority (NTA) — the telecommunication sector regulator — has drafted the ‘security guidelines for the operation of free wi-fi/hotspot in public places’.

According to NTA, the guidelines will be applicable to internet service providers (ISPs) where the use of hotspot is high in places like airports, shopping malls, hospitals, restaurants, colleges and schools, among others. As per the drafted guidelines, while setting up wi-fi/hotspot for themselves or for their clients and providing internet service to the users, the ISPs must comply with various conditions and security measures.

According to the guidelines, ISPs must properly configure all the factory default settings and restrict unnecessary services and ports in the access points. The ISPs must ensure all wi-fi access equipment deployed are compliant to relevant IEEE/3GPP and hotspot 2.0 standards and type approved by NTA. The ISPs must also deploy security updates and patches to all system devices to protect the system against known vulnerabilities.

“We decided to draft the guidelines as we started receiving a huge number of complaints related to cyber crimes through the use of free public wi-fi service,” said Purushottam Khanal, acting chairman of NTA. “It will be mandatory for ISPs to store the user identity (example, phone number used to register), Media Access Control address of the device, source/destination IP address, and user’s login/logout session time and save all that data in a server,” he said.

“The main purpose of introducing the guidelines is for data retention and storage to facilitate law enforcement agencies for investigation purposes,” Khanal stated.

According to the guidelines, if ISPs violate the guidelines and are unable to provide valid data to the law enforcement agencies when required, they will be penalised under the Electronic Transaction Act, 2008. As per the act, the ISPs could be liable to a fine not exceeding Rs 200,000 or imprisonment not exceeding three years or both depending on the seriousness of the offence.

Moreover, as per the guidelines, ISPs must implement and deploy a centralised user registration and authentication system to restrict services only to authorised users via web-based captive portal facilitating an interface to register. They can fill out personal details including phone number and authenticate the user via message in both Nepali and English language.

As per the draft guidelines, if the ISPs notice any untoward incident like security violation around hotspots they must report such incidents to the law enforcement agencies.