When you log in to use the free Internet a merchant offers on-site, don’t make the mistake of believing your personal data is protected. As a matter of fact, business owners are happy to help themselves to your precious info.
The number of WiFi access points (hotspots) at businesses and in public institutions, such as airports or libraries, is growing all the time. There are half a billion hotspots in the world at the moment, five times more than there were five years ago.
Many studies have shown that these public access points — which can be used without obtaining permission or even having to identify yourself — provide great opportunities for companies to spy, eavesdrop, intercept communications between two parties or even steal a user’s identity. Many people aren’t aware that when companies purchase a hotspot to give their customers free Internet access, they’re frequently the first to collect customers’ personal information, even using their own cookies to do so.
A team of researchers from Concordia University in Montreal made that discovery in their study, On Privacy Risks of Public WiFi Captive Portals. The study, released in 2019, examined the behaviour of 80 businesses and institutions in the Montreal area, including local institutions such as Place Vertu, Aéroports de Montréal, Place des Arts, the Grévin Montréal wax museum and the Société des alcools du Québec, as well as major international brands, including Tim Hortons, Burger King and Gap.
The findings of the study are highly detailed and hair-raising. Many Internet users assume that reputable companies will protect their privacy as a matter of course after asking users to identify themselves. In fact, it’s just the opposite, says Suzan Ali, lead author of the study, which was part of her master’s degree in Information Systems Security.
The risks are so high that a privacy-conscious user is better off not using the services at all.”
Suzan Ali, lead author of the study
All the institutions that were studied offer access to public WiFi through a “captive portal”: a web page where the user has to sign up by providing certain pieces of information and agreeing to various conditions. The user is granted access to the web after that, starting from the institution’s landing page.
Ali and her colleagues discovered that in the few seconds it takes users to connect to the Internet through a captive portal, the company that manages the portal can collect tremendous amounts of information about them and their device. Companies can also track users’ navigation using “cookies,” mini programs that provide information on how a user navigates the Internet.
In 39% of cases, the first cookies are collecting information without your knowledge, before you’ve even been asked for consent.”
Suzan Ali
By doing this, most companies are violating their own privacy policies — that is, if they even bother to post one.
The study focuses on the Windows and Android operating systems, Windows because it’s the most widely used system, and Android because it’s known for its privacy protection measures, scrambling the number that identifies each device on which it is used. “To our surprise, many portals still manage to use cookies despite the Android scrambling,” says Ali. “We haven’t verified whether this happens on Apple devices, but it certainly raises questions.”
A golden opportunity to harvest information
The collection of personal data starts with the log-in process. The majority of systems, nearly 60%, simply ask users to identify themselves with their email address and a password. Others ask users to fill in a form, which may include information such as full name, date of birth and city of residence. Other businesses require users to identify themselves through a social network, which allows those businesses to acquire personal information without permission.
But the greed doesn’t stop there, since businesses are actually particularly interested in obtaining data about the device being used. For example, 59.7% of hotspots collect the “media access control” of devices. Better known by its acronym, the MAC (not related to Macintosh computers) is sometimes called the “physical address” of a device, since it’s a unique identifier.
But that’s not all: captive portals also build a “digital fingerprint” of your device by collecting a range of information, including your battery status, browsing preferences, fonts installed in your system, screen properties (resolution, colour definition) and information about your camera, microphone and more.
Hotspots can identify 86% of devices using only eight attributes. It’s as if they’re producing a fingerprint of the device on the spot.”
Suzan Ali
While companies collect 19 attributes on average, the Discount car rental company collects 117 attributes, making it the all-round information collecting champion. That’s almost twice as many attributes as runner-up Home Depot, which collects 64 attributes.
All this data is exchanged freely between the site host company, the company that manages the captive portal and third parties with whom they have agreements. The research team also discovered that 13% of companies were transmitting the data they obtained without any encryption by using the public http protocol rather than the HTTPS protocol, now the standard for secure sites.
Worrisome numbers of cookies
Only three of the 80 hotspots in the study did not use those infamous cookies — mini programs implanted in your browser to collect information without your knowledge. Some cookies are useful and legitimate, since their purpose is to improve the way you move around the company’s web site. (They do let a company know what you’re doing on their site, though, including when you leave and when you come back.) Other cookies actually follow users to new sites to make sure, for example, that a specific advertisement follows you around the Internet.
Every company has “first-party cookies,” but most also have third-party cookies. These let the company’s commercial and financial partners follow you around the Internet and inform the host company of your activity. The Aéroports de Montréal portal uses 20 such cookies, one more than the Rockland Centre and two more than Champlain Mall. And yet another shopping center, Carrefour Angrignon takes the cake, with 34 third-party cookies. What’s more, some 13% of the cookies used in hotspots are programmed to have a 20-year lifespan. As soon as you land on the company’s login page, 63% of the sites are using their own cookies and 72% are using their partners’ cookies.
Savvy Internet users know it’s possible to erase cookies by deleting their browsing history. You can even neutralize cookies by switching your browser to Incognito Mode.
All this has made companies more interested than ever in collecting as much data as possible on the user’s device itself, including the MAC address and fingerprint. With this data, they can track a user “passively,” without entering your system, through the traces your device leaves behind. “This way, you can track a user without running the risk of being blocked by their privacy settings,” says Ali. In fact, it’s so effective that 76.1% of companies collect this information right on their landing page.
How to protect yourself
Ali and her colleagues published a series of recommendations with their study, many of which are based on warnings from the Federal Trade Commission in the U.S.
Never use a public hotspot to transmit personal or financial information, but if you use hotspots for any other purpose, take the following precautions:
1) Make sure your cell phone is in “cellular data” mode. That means data is automatically encrypted, which provides better protection than with a computer.
2) Use a Virtual Private Network (VPN) application. The VPN creates an encryption channel that protects your data.
3) Avoid hotspots that ask for any information beyond an email address.
4) Disconnect from the hotspot the moment you stop using it.
5) Anonymize your browser.
6) Delete your search history and cookies.
7) Turn off the automatic login feature.
Ali advises users that it’s best to avoid using hotspots altogether — just as you try to avoid getting Covid!
The Study
On Privacy Risks of Public WiFi Captive Portals (Concordia University, 2019), was conducted by Suzan Ali as part of her master’s degree in Information Systems Security, in collaboration with another master’s student, Tousif Osman, under the supervision of professors Mohammad Mannan and Amr Youssef from Concordia University.
What set Ali’s study apart was that it looked at what happens when users first make contact with a public WiFi access point. The study was designed to see if companies that offer free internet access through a captive portal take advantage of that contact to collect personal information about users and then spy on them.
To carry out their study, the researchers programmed a computer robot called a CP Inspector that was actually a collage of several detection programs. They used the CP Inspector at 80 establishments and businesses in the Montreal area to see how the captive portal for each place behaved in devices using either the Windows or Android operating system.
The CP Inspector collected huge amounts of information for each portal, including data volume, cookies being used, types of connection, level of security, source codes and data storage. It also took screenshots of pages and saved the user agreements and privacy policies.
The findings revealed that even on portals that require a user ID, users get almost no privacy protection. The user’s personal information and technical data are collected from the device. A large number of cookies — up to 34 — are used to collect personal information and technical data from the device. The data is then freely exchanged with third parties. In short, the risk of privacy breaches at hotspots is very high, even with Android devices, whose operating system is considered more reliable than Windows in terms of privacy protection.