Cisco tries to cloud the issue over router upgrades

Users of certain Cisco Linksys routers found themselves in the ridiculous position last week of being forced to choose between maintaining the ability to manage the router through the local web interface and the ability to update the router firmware.

The culprit was something called the Cisco Connect Cloud, and the implications on both security and privacy verged on the comedic.

But this was no laughing matter, as Cisco soon discovered when faced with a barrage of complaints that forced the company into something of a Cameron-esque U-turn. Here's what happened, and why Cisco was right to go into reverse as a result.

Many small businesses use Linksys branded Wi-Fi routers for their network needs, and this is partly down to the ease with which firmware updates can be automated and router management itself handled via a local web administration interface. Updating router firmware is usually recommended from both the hardware stability and security patching perspectives, so it should come as no surprise that many users will have that automatic firmware updating happily toggled to the on-position. Happily, that was, until Cisco pushed out the latest firmware update after which users found they were unable to access their router admin page.

Far from being a buggy update or a glitch experienced by a few users, this was a deliberate move by Cisco.

The router management page simply stopped working when they tried signing in at 192.168.1.1 as usual, and users found themselves faced with having to sign up to the new Cisco Cloud Connect service if they wanted to have any advanced router administrative control. Either that, or rollback to the previous firmware version and forget about ever updating the firmware again.

But why the uproar over moving from a local web UI for the management tools interface to a cloud-based one that enables the user to manage the router from any web browser, any where?

Well, quite apart from the potential, if relatively small ,security risk of managing your business router from an airport lounge or coffee shop, there's also the draconian terms and conditions Cisco require users to sign up to before starting the Cloud Connect service. These include not using the service, or your router in other words, to access 'obscene' or 'offensive' content. Neither of which are defined in any way, and we all know that one man's art is another's obscenity.

The terms, however, do not stop there, there's also no access to content that infringes intellectual property rights, no emailing or uploading of 'unauthorised advertising or promotional materials'. If you do, then Cisco reserves the right to discontinue your use of the service "immediately without prior notice to you, and without refund or compensation to you". Charmed, I'm sure.

Even though the Connect Cloud privacy statement was amended so as to remove reference to Cisco keeping track of network traffic and Internet history data, the privacy concerns of customers quickly came to the fore. Not least as, in order to be aware of whether a user of a Linksys router was looking at porn online or downloading a copyright violation music track, Cisco would surely be having to monitor the traffic. Whatever, and however, the potential for Cisco to brick a router (or at least prevent access to the router management tools) was enough to spark a tsunami of protest.

Cisco has now responded by confirming that Cloud Connect will now be optional, and not the default router admin interface. "We have simplified the process for opting-out" Brett Wingo, a Cisco VP, stated, adding that Cisco had "changed the default setting back to the traditional router set-up and management".

Wingo denied that Cisco would ever, or has ever, monitored customer Internet usage via the Cloud Connect service nor that it would "arbitrarily disconnect customers from the Cisco Connect Cloud service based on how they are using the Internet".

Which sounds good, but I'm still not totally convinced of the Cisco commitment here. Not least as there is no sign of another firmware update to remove the Cloud Connect requirement as of yet, and Cisco advises users to revert back to the previous firmware version if they want the local admin management UI access back. The option to choose between router management services will be introduced in an as yet unannounced firmware update apparently, but in the meantime users are still faced with having to manually rollback the router firmware or agree to the Cloud Connect terms and conditions.

And then there's the claim that Internet usage would never be monitored when the original privacy statement included a paragraph that quite clearly stated "we may keep track of certain information related to your use of the Service, including but not limited to the status and health of your network and networked products; which apps relating to the Service you are using; which features you are using within the Service infrastructure; network traffic (e.g., megabytes per hour); internet history;..." I stopped there as we'd arrived at both 'network traffic' and 'internet history'. 

The moral of the story being that users should always read the small print, and vendors should never assume that users will click on the agree button without doing so.

Cisco's Wingo (which sounds like a good name for a new router, as it happens) admits that a "lack of clarity" existed in the terms and conditions, and has now made it clear that "when a customer signs up for a Cisco Connect Cloud account, Cisco does not track or store any personal information regarding a customer’s usage of the Internet".

Unfortunately, the reputational damage is done and may be difficult to undo. The collateral damage from which may stretch into the Cisco cloud itself, as well as impacting upon router purchasing decisions by the privacy minded folk out there. Only time will tell...