Novel consent decree provision requires company to “share information” with third-party software developers and others.

tp-link consent decree-2In what might ordinarily have been a run-of-the-mill consent decree between Wi-Fi equipment manufacturer TP-Link and the FCC, the company has admitted to selling potentially overpowered Wi-Fi routers and has agreed to pay a fine of $200,000 – toward the high end for this kind of violation, but far from setting any records.

There is, however, more to the story.

Different parts of the world allow Wi-Fi to operate in different frequency bands and at different power levels. It would be a manufacturer’s nightmare to make different models for every country’s standards, and then somehow make sure that each model is sold only in the right country. Manufacturers are smarter than that. For many years, their devices have each been capable of complying with many different countries’ rules, and include a switch to select the destination country. In the early days this was an actual, physical switch; now it is a software setting. Thus the same hardware unit can be boxed and shipped to the United States or Japan or Sweden or anywhere else, so long as the software is properly configured. The FCC allows this if the units sold here have the software set to comply with U.S. rules and the software control isn’t “readily accessible” to the user.

The meaning of that last phrase became important when 5 GHz Wi-Fi devices began causing interference to airport weather radars. In some cases – maybe all cases – the interference was due to the devices having been illegally modified to duck the U.S. requirement to monitor for radar activity in certain bands, and possibly also to exceed U.S. power limits. The FCC responded with new rules: 5 GHz manufacturers must “take steps to prevent unauthorized software changes” that could make the radio noncompliant. Manufacturers can implement this security any way they want, but must explain their approach in the certification application.

TP-Link admitted it had sold 5 GHz units in the U.S. that allowed the user to change the country code and thereby operate the device out of compliance with U.S. rules.

Here is where the matter gets interesting.

When TP-Link fixed that problem, it created another one, at least in the eyes of the FCC. Its repair blocked not only software changes to the country code, but all software changes whatsoever, including the installation of open-source and other third-party software that might improve performance, configure networks, or improve cybersecurity. This, said the FCC, went too far. In a novel consent decree provision, TP-Link has agreed to cooperate and share information with interested third-party software and chipset developers so as to allow the use of third-party software, while still meeting the FCC’s security requirements.

Wait – can TP-Link open its router to third-party software, yet still block changes to frequency bands, power, and radar detection? Funny you should ask, because almost that same question unexpectedly came up in an ongoing rulemaking. A proposed overhaul of the equipment certification rules includes, almost in passing, a broadening of the 5 GHz software security requirements to more kinds of devices. Certification applicants for certain devices under software control would have to explain how the devices will prevent unauthorized parties from downloading software that could take radios out of compliance.

To the FCC’s surprise, the proposal generated thousands of comments, many asking if the FCC meant manufacturers to block all upgrades and third-party improvements. Julius Knapp, head of the FCC’s Office of Engineering and Technology, responded in a characteristically plain blog post: “[T]he proposal is not intended to encourage manufacturers to prevent all modifications or updates to device software.”

But there is a big difference between allowing a device to accept modifications (Julius Knapp) and requiring it to (TP-Link consent decree). Today there is no FCC rule that requires a Wi-Fi router to accept third-party software, and no such proposal is pending. The consent decree cites only the FCC’s policy of fostering innovation by enabling novel uses of technology. Usually, though, the FCC implements policy by adopting rules. No one down here in the CommLawBlog bunker can recall the FCC writing language into a consent decree based on a policy with no specific rule behind it. Regrettably, the negotiations that lead to a consent decree are confidential. Perhaps TP-Link gained something it wanted by agreeing to this. Unless TP-Link chooses to speak up, we’ll never know.