What is this project about?

We analyze privacy risks of using public WiFi hotspots.

What hotspots are analyzed in this project?

We analyzed 67 unique public WiFi hotspots located in the Greater Montreal area of Quebec, including cafes and restaurants, shopping malls, retail businesses, banks, and transportation companies (bus, train and airport). A full list of hotspots can be found here.

Where can I find the full report?

We will make the report publicly available soon.

Whom should I contact if I have a question about this project?

Please email: m.mannan@concordia.ca.

Can I volunteer for data collection?

Sure, please contact m.mannan@concordia.ca for our tools and instructions.

For Users

Are there any privacy risks of using hotspots?

Indeed, there are some risks that may concern users. These risks can be divided into three groups:

  • Collection and sharing of personally identifiable information: 40.3% of hotspots we examined perform unnecessary collection of sensitive data and share with several third parties.
  • Online tracking: Except three, all hotspots use tracking technologies on their captive portals and landing pages, sometimes even before getting consent from a user.
  • Data leakage: Several hotspots explicitly share (sometimes even without HTTPS) the personal and unique device information they collect with many third-party domains.

Is there a safe way to use these hotspots?

It depends on the hotspot. Our recommendations are:

  • Do not use a public Wi-Fi network when dealing with any privacy/financially sensitive application.
  • Avoid sharing your personal information with any hotspot - e.g., the ones that require you to use your social login (Facebook, Instagram, LinkedIn, Twitter, Google), or the ones that ask you to register.
  • You may also consider providing fake info such as a fake email address.
  • Use private browsing and possibly some other anti-tracking browser addons, and software programs that may allow you to use a fake MAC address on Windows.
  • Use a VPN when connecting to a public Wi-Fi network.
  • You may clear your browser history after visiting a hotspot.

For Service Providers

What can be done to limit privacy exposure?

Our recommendations are:

  • Consider every personally identifiable data item that you collect - is it truly needed to run the service? Keep in mind that the more you collect from users, the more legal responsibility you take.
  • Communicate what you collect and share with users as clearly and as concisely as possible.
  • If you use a third-party hotspot provider, check clearly what they might do with your user's data.

How can we help protect user's private information?

Our recommendations are:

  • The user should be clearly advised that they will be surf the internet without encryption.
  • The right of users to know the purpose of collecting personal information should be respected. Furthermore, the data must be used only for that declared purpose.
  • Security of personal information should be assured by taking the appropriate technical measures.
  • Comply with applicable laws for collection, use, disclosure, retention and destruction of personal information.
  • Review the privacy and the security of the WiFi solution regularly to cope with the latest technological and business developments.

How can we ensure compliance with laws?

Our recommendations are:

  • The public WiFi should be governed by an explicit use and privacy policies.
  • Obtain verifiable user consent prior to any collection or use of personal information.
  • The right of users to have access to their personal information should be respected.
  • The right of parents to request the removal of children's personal information should be respected.
  • The right of users to withdraw of a given consent at any time should be respected.
  • The user should have a right to opt out of data collection that is being performed while visiting the venue (i.e., happens even before connecting to the WiFi services).
  • The user should have a right to know about all tracking activities and how to opt-out of each tracker.

For Service Operators

How can we choose the right WiFi solution?

Our recommendations are:

  • Choose a public Wi-Fi provider that offers a legally compliant solution.
  • Choose a public Wi-Fi provider that stores any collected personal information in Canada only.
  • Perform statistical analyses using anonymous and aggregated data.

How can we ptotect user's privacy?

Our recommendations are:

  • Provide adequate security measures to protect personal information collected/transmitted via the Wi-Fi service.
  • Promote user awareness for secure use of the Wi-Fi service.
  • Provide WiFi access for users that might not require user signup.
  • Have a legally appropriate retention schedule for inactive WiFi users.
  • Develop a set of clear in-house procedures on privacy incident response and remedy.
  • The users should have a right to know about the WiFi solution that is being setup in the venue.