On Privacy Risks of Public WiFi Captive Portals

Open access WiFi hotspots are widely deployed in many public places, including restaurants, parks, coffee shops, shopping malls, trains, airports, hotels, and libraries. While these hotspots provide an attractive option to stay connected, they may also track user activities and share user/device information with third-parties, through the use of trackers in their captive portal and landing websites. In this paper, we present a comprehensive privacy analysis of 67 unique public WiFi hotspots located in Montreal, Canada, and shed some light on the web tracking and data collection behaviors of these hotspots. Our study reveals the collection of a significant amount of privacy-sensitive personal data through the use of social login (e.g., Facebook and Google) and registration forms, and many instances of tracking activities, sometimes even before the user accepts the hotspot's privacy and terms of service policies. Most hotspots use persistent third-party tracking cookies within their captive portal site; these cookies can be used to follow the user's browsing behavior long after the user leaves the hotspots, e.g., up to 20 years. Additionally, several hotspots explicitly share (sometimes via HTTP) the collected personal and unique device information with many third-party tracking domains.

[1]  Walter Rudametkin,et al.  Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[2]  Sotiris Ioannidis,et al.  A Large-scale Analysis of Content Modification by Open HTTP Proxies , 2018, NDSS.

[3]  Davide Balzarotti,et al.  Clock Around the Clock: Time-Based Device Fingerprinting , 2018, CCS.

[4]  Jun Zhao,et al.  Measuring Third-party Tracker Power across Web and Mobile , 2018, ACM Trans. Internet Techn..

[5]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[6]  Aaron Alva,et al.  Cross-Device Tracking: Measurement and Disclosures , 2017, Proc. Priv. Enhancing Technol..

[7]  Benny Pinkas,et al.  DNS Cache-Based User Tracking , 2019, NDSS.

[8]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[9]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[10]  Daisuke Miyamoto,et al.  The continued risks of unsecured public Wi-Fi and why users keep using it: Evidence from Japan , 2018, 2018 16th Annual Conference on Privacy, Security and Trust (PST).

[11]  R Barreras,et al.  The leaking battery. , 1988, Journal of biological photography.

[12]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[13]  Benoit Baudry,et al.  Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale , 2018, WWW.

[14]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[15]  Pere Barlet-Ros,et al.  A Survey on Web Tracking: Mechanisms, Implications, and Defenses , 2017, Proceedings of the IEEE.

[16]  Wouter Joosen,et al.  Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation , 2018, NDSS.

[17]  Wei Cheng,et al.  Characterizing privacy leakage of public WiFi networks for users on travel , 2013, 2013 Proceedings IEEE INFOCOM.

[18]  Tadayoshi Kohno,et al.  Detecting In-Flight Page Changes with Web Tripwires , 2008, NSDI.

[19]  Predrag V. Klasnja,et al.  "When I am on Wi-Fi, I am fearless": privacy concerns & practices in eeryday Wi-Fi use , 2009, CHI.

[20]  Pere Barlet-Ros,et al.  Web Tracking: Mechanisms, Implications, and Defenses , 2015, ArXiv.