Concordia researchers expose the risk of using public Wi-Fi hotspots

How to protect yourself against web tracking and data collection on the go
December 13, 2019
Mohammad Mannan: “Don’t ask ‘what do I have to hide?’ A better question is ‘what are they doing with that information?’” | Photo by Paul Hanaoka on Unsplash

In terms of convenience, you can’t beat Wi-Fi hotspots — those cafes, gyms, malls, retailers and restaurants that offer free internet usage.

“But there’s a cost!” warns Suzan Ali, a master’s student with the Concordia Institute for Information Systems Engineering at the Gina Cody School of Engineering and Computer Science.   

She’s studying the privacy risks of using public Wi-Fi with captive portals — landing pages where users typically agree to the website’s terms or sometimes register before being allowed to access the Wi-Fi.

“If you value privacy and security, you need to stay as anonymous as possible,” says Ali, who presented her findings at the Data Privacy Management International Workshop in Luxembourg this fall.

67 public Wi-Fi hotspots

In a study funded by the Office of the Privacy Commissioner of Canada, Ali and her supervisors, Mohammad Mannan and Amr Youssef, looked at 67 open-access Wi-Fi hotspots around Montreal to shed light on web tracking and data collection behaviours.

They created a framework called CPInspector to capture the raw traffic traces on laptops and Android phones. The framework is open source and available for download.

The study reveals 40 per cent of the hotspots perform unnecessary collection of sensitive data via social media, registration or surveys, then share it with several third parties.

All but three of the hotspots employed varying levels of user-tracking technologies on their captive portals. More than half of the studied hotspots create persistent third-party tracking cookies that are designed to stay active for up to 20 years.

“Surprisingly, 39 per cent of hotspots create persistent cookies even before the user accepts the privacy terms and services policy,” says Mannan, a professor and member of the Security Research Centre.

Suzan Ali, a master’s student with the Concordia Institute for Information Systems Engineering Suzan Ali, a master’s student with the Concordia Institute for Information Systems Engineering.

Stateless tracking

As well as analyzing persistent tracking done by cookies, the study also took into account stateless tracking. It’s when a user has cleared all the cookies from their browser, but the internet provider can still “fingerprint” their device by noting the model of their laptop, the version of Chrome they use, for example, and their plugins. It’s like profiling.

“It’s possible to fingerprint your device and recreate the cookies you previously removed,” says Mannan.

Not all of the study’s findings were cautionary tales, though. Mannan notes that Android phones are better at protecting your privacy than laptops.

“That’s because the captive portal on an Android is a separate application,” explains Mannan. “If a cookie is loaded there, it doesn’t affect your main browser. Whereas on a laptop, the captive portal shows up on your default browser. Also, some mobile operating system versions randomize the MAC address automatically, so it’s a more secure design.”

Security Research Centre

For Mannan, privacy is a fundamental right worth protecting. He’s one of 18 Concordia researchers at the Security Research Centre. As of October 2019, members had already secured over $25.6 million in external funds — $17.6 million within the last six years.

He is frustrated when people claim not to care if their personal information is shared online.

“You should care on principle, but also because your private information is monetized,” Mannan says. “Someone’s making money off it. And someone could learn something about you from your Facebook profile and use it to launch a targeted phishing attack against you.”

When it comes to privacy, don’t ask “what do I have to hide?” Mannan advises.

“Better questions are, ‘what are they doing with that information?’ and ‘why are they sharing it with other parties?’”

4 tips to stay private using public Wi-Fi

Ali says she only feels comfortable using the internet at home, where she trusts her provider.

“They’re regulated by law, so they cannot share my information with a third party,” she adds.

She strongly cautions against using public Wi-Fi, in general, but specifically when dealing with anything sensitive, like financials.

Here are her top things to keep in mind when choosing to use public Wi-Fi:

  • Don’t register
  • Don’t use social media to register
  • Always clear your browser of cookies
  • Use anti-tracking browser add-ons

Read the cited study, “On Privacy Risks of Public WiFi Captive Portals,” funded by the Office of the Privacy Commissioner of Canada.

Find out more about the Gina Cody School of Engineering and Computer Science.

Back to top

© Concordia University