On Privacy Risks of Public WiFi Captive Portals

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11737)


Open access WiFi hotspots are widely deployed in many public places, including restaurants, parks, coffee shops, shopping malls, trains, airports, hotels, and libraries. While these hotspots provide an attractive option to stay connected, they may also track user activities and share user/device information with third-parties, through the use of trackers in their captive portal and landing websites. In this paper, we present a comprehensive privacy analysis of 67 unique public WiFi hotspots located in Montreal, Canada, and shed light on the web tracking and data collection behaviors of these hotspots. Our study reveals the collection of a significant amount of privacy-sensitive personal data through the use of social login (e.g., Facebook and Google) and registration forms, and many instances of tracking activities, sometimes even before the user accepts the hotspot’s privacy and terms of service policies. Most hotspots use persistent third-party tracking cookies within their captive portal site; these cookies can be used to follow the user’s browsing behavior long after the user leaves the hotspots, e.g., up to 20 years. Additionally, several hotspots explicitly share (sometimes via HTTP) the collected personal and unique device information with many third-party tracking domains.



This work was partly supported by a grant from the Office of the Privacy Commissioner of Canada (OPC) Contributions Program. We thank the anonymous DPM 2019 reviewers for their insightful suggestions and comments, and all the volunteers for their hotspot data collection. We also thank the members of Concordia’s Madiba Security Research Group, especially Nayanamana Samarasinghe, for his help in running OpenWPM to automatically browse the home pages of the top 143k Tranco domains.


  1. 1.
    Acar, G., et al.: FPDetective: dusting the web for fingerprinters. In: ACM CCS 2013. Berlin, Germany, November 2013Google Scholar
  2. 2. Adobe experiance cloud: Device Co-op privacy control.
  3. 3.
    Binns, R., Zhao, J., Kleek, M.V., Shadbolt, N.: Measuring third-party tracker power across web and mobile. ACM Trans. Internet Technol. 18(4), 52:1–52:22 (2018)CrossRefGoogle Scholar
  4. 4.
    Brookman, J., Rouge, P., Alva, A., Yeung, C.: Cross-device tracking: measurement and disclosures. In: Proceedings on Privacy Enhancing Technologies (PETS). Minneapolis, MN, USA, July 2017Google Scholar
  5. 5.
    Bujlow, T., Carela-Español, V., Sole-Pareta, J., Barlet-Ros, P.: A survey on web tracking: mechanisms, implications, and defenses. Proc. IEEE 105(8), 1476–1510 (2017)CrossRefGoogle Scholar
  6. 6.
    Cheng, N., Wang, X.O., Cheng, W., Mohapatra, P., Seneviratne, A.: Characterizing privacy leakage of public WiFi networks for users on travel. In: 2013 Proceedings IEEE INFOCOM. Turin, Italy, April 2013Google Scholar
  7. 7.
    Eckersley, P.: How unique is your web browser? In: International Symposium on Privacy Enhancing Technologies Symposium (2010)Google Scholar
  8. 8.
    Elifantiev, O.: NodeJS module to compare two DOM-trees.
  9. 9.
    Englehardt, S., Narayanan, A.: Online tracking: A 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria, October 2016Google Scholar
  10. 10.
    Gómez-Boix, A., Laperdrix, P., Baudry, B.: Hiding in the crowd: an analysis of the effectiveness of browser fingerprinting at large scale. In: TheWebConf (WWW 2018). Lyon, France, April 2018Google Scholar
  11. 11.
  12. 12.
    Klafter, R.: Don’t FingerPrint Me.
  13. 13.
    Klein, A., Pinkas, B.: DNS cache-based user tracking. In: Network and Distributed System Security Symposium (NDSS 2019). San Diego, CA, USA, February 2019Google Scholar
  14. 14.
    Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: IEEE Symposium on Security and Privacy (SP). San Jose, CA, USA (2016)Google Scholar
  15. 15.
    Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: NDSS 2019. San Diego, CA, USA, February 2019Google Scholar
  16. 16. My hotel WiFi injects ads. does yours?, news article (25 March 2016).
  17. 17.
    Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: Proceedings of W2SP, pp. 1–12 (2012)Google Scholar
  18. 18.
    Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In: 2013 IEEE Symposium on Security and Privacy. Berkeley, CA, USA, May 2013Google Scholar
  19. 19.
    Olejnik, Ł., Acar, G., Castelluccia, C., Diaz, C.: The leaking battery. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA -2015. LNCS, vol. 9481, pp. 254–263. Springer, Cham (2016). Scholar
  20. 20. Comcast’s open WiFi hotspots inject ads into your browser, news article, 09 September 2014.
  21. 21.
    Reis, C., Gribble, S.D., Kohno, T., Weaver, N.C.: Detecting in-flight page changes with web tripwires. In: NSDI 2008, San Francisco, CA, USA (2008)Google Scholar
  22. 22.
    Sanchez-Rola, I., Santos, I., Balzarotti, D.: Clock around the clock: time-based device fingerprinting. In: ACM CCS 2018, Toronto, Canada, October 2018Google Scholar
  23. 23.
    Sombatruang, N., Kadobayashi, Y., Sasse, M.A., Baddeley, M., Miyamoto, D.: The continued risks of unsecured public WiFi and why users keep using it: evidence from Japan. In: Privacy, Security and Trust (PST 2018), Belfast, UK, August 2018Google Scholar
  24. 24.
    Symantec: Norton WiFi risk report: Summary of global results, technical report, 5 May 2017.
  25. 25.
    Tsirantonakis, G., Ilia, P., Ioannidis, S., Athanasopoulos, E., Polychronakis, M.: A large-scale analysis of content modification by open HTTP proxies. In: Network and Distributed System Security Symposium (NDSS 2018) (2018)Google Scholar
  26. 26.
    Valve: Fingerprintjs by Valve.

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Concordia UniversityMontrealCanada

Personalised recommendations