Abstract
Open access WiFi hotspots are widely deployed in many public places, including restaurants, parks, coffee shops, shopping malls, trains, airports, hotels, and libraries. While these hotspots provide an attractive option to stay connected, they may also track user activities and share user/device information with third-parties, through the use of trackers in their captive portal and landing websites. In this paper, we present a comprehensive privacy analysis of 67 unique public WiFi hotspots located in Montreal, Canada, and shed light on the web tracking and data collection behaviors of these hotspots. Our study reveals the collection of a significant amount of privacy-sensitive personal data through the use of social login (e.g., Facebook and Google) and registration forms, and many instances of tracking activities, sometimes even before the user accepts the hotspot’s privacy and terms of service policies. Most hotspots use persistent third-party tracking cookies within their captive portal site; these cookies can be used to follow the user’s browsing behavior long after the user leaves the hotspots, e.g., up to 20 years. Additionally, several hotspots explicitly share (sometimes via HTTP) the collected personal and unique device information with many third-party tracking domains.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Acar, G., et al.: FPDetective: dusting the web for fingerprinters. In: ACM CCS 2013. Berlin, Germany, November 2013
Adobe.com: Adobe experiance cloud: Device Co-op privacy control. https://cross-device-privacy.adobe.com
Binns, R., Zhao, J., Kleek, M.V., Shadbolt, N.: Measuring third-party tracker power across web and mobile. ACM Trans. Internet Technol. 18(4), 52:1–52:22 (2018)
Brookman, J., Rouge, P., Alva, A., Yeung, C.: Cross-device tracking: measurement and disclosures. In: Proceedings on Privacy Enhancing Technologies (PETS). Minneapolis, MN, USA, July 2017
Bujlow, T., Carela-Español, V., Sole-Pareta, J., Barlet-Ros, P.: A survey on web tracking: mechanisms, implications, and defenses. Proc. IEEE 105(8), 1476–1510 (2017)
Cheng, N., Wang, X.O., Cheng, W., Mohapatra, P., Seneviratne, A.: Characterizing privacy leakage of public WiFi networks for users on travel. In: 2013 Proceedings IEEE INFOCOM. Turin, Italy, April 2013
Eckersley, P.: How unique is your web browser? In: International Symposium on Privacy Enhancing Technologies Symposium (2010)
Elifantiev, O.: NodeJS module to compare two DOM-trees. https://github.com/Olegas/dom-compare
Englehardt, S., Narayanan, A.: Online tracking: A 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria, October 2016
Gómez-Boix, A., Laperdrix, P., Baudry, B.: Hiding in the crowd: an analysis of the effectiveness of browser fingerprinting at large scale. In: TheWebConf (WWW 2018). Lyon, France, April 2018
Google: HTTPS encryption on the web. https://transparencyreport.google.com/https/overview?hl=en
Klafter, R.: Don’t FingerPrint Me. https://github.com/freethenation/DFPM
Klein, A., Pinkas, B.: DNS cache-based user tracking. In: Network and Distributed System Security Symposium (NDSS 2019). San Diego, CA, USA, February 2019
Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: IEEE Symposium on Security and Privacy (SP). San Jose, CA, USA (2016)
Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: NDSS 2019. San Diego, CA, USA, February 2019
Medium.com: My hotel WiFi injects ads. does yours?, news article (25 March 2016). https://medium.com/@nicklum/my-hotel-WiFi-injects-ads-does-yours-6356710fa180
Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: Proceedings of W2SP, pp. 1–12 (2012)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In: 2013 IEEE Symposium on Security and Privacy. Berkeley, CA, USA, May 2013
Olejnik, Ł., Acar, G., Castelluccia, C., Diaz, C.: The leaking battery. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA -2015. LNCS, vol. 9481, pp. 254–263. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29883-2_18
PCWorld.com: Comcast’s open WiFi hotspots inject ads into your browser, news article, 09 September 2014. https://www.pcworld.com/article/2604422/comcasts-open-wi-fi-hotspots-inject-ads-into-your-browser.html
Reis, C., Gribble, S.D., Kohno, T., Weaver, N.C.: Detecting in-flight page changes with web tripwires. In: NSDI 2008, San Francisco, CA, USA (2008)
Sanchez-Rola, I., Santos, I., Balzarotti, D.: Clock around the clock: time-based device fingerprinting. In: ACM CCS 2018, Toronto, Canada, October 2018
Sombatruang, N., Kadobayashi, Y., Sasse, M.A., Baddeley, M., Miyamoto, D.: The continued risks of unsecured public WiFi and why users keep using it: evidence from Japan. In: Privacy, Security and Trust (PST 2018), Belfast, UK, August 2018
Symantec: Norton WiFi risk report: Summary of global results, technical report, 5 May 2017. https://www.symantec.com/content/dam/symantec/docs/reports/2017-norton-wifi-risk-report-global-results-summary-en.pdf
Tsirantonakis, G., Ilia, P., Ioannidis, S., Athanasopoulos, E., Polychronakis, M.: A large-scale analysis of content modification by open HTTP proxies. In: Network and Distributed System Security Symposium (NDSS 2018) (2018)
Valve: Fingerprintjs by Valve. https://valve.github.io/fingerprintjs/
Acknowledgement
This work was partly supported by a grant from the Office of the Privacy Commissioner of Canada (OPC) Contributions Program. We thank the anonymous DPM 2019 reviewers for their insightful suggestions and comments, and all the volunteers for their hotspot data collection. We also thank the members of Concordia’s Madiba Security Research Group, especially Nayanamana Samarasinghe, for his help in running OpenWPM to automatically browse the home pages of the top 143k Tranco domains.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Ali, S., Osman, T., Mannan, M., Youssef, A. (2019). On Privacy Risks of Public WiFi Captive Portals. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2019 2019. Lecture Notes in Computer Science(), vol 11737. Springer, Cham. https://doi.org/10.1007/978-3-030-31500-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-31500-9_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31499-6
Online ISBN: 978-3-030-31500-9
eBook Packages: Computer ScienceComputer Science (R0)