This post was originally published on January 13, 2016.
What’s awesomer than free public Wi-Fi?
When you find a free public Wi-Fi hotspot you probably think, “Awesome!” and connect to it without even reading the terms and conditions of use.
But public Wi-Fi hotspots in airports, libraries, community centers, convenience stores, coffee shops, and other public spaces are actually very dangerous.
When we mindlessly agree to the terms and conditions of free public Wi-Fi hotspots, we agree to these dangers and give others permission to intercept our sensitive information, spy on our activity, sell our data to corporations, and dictate what we can and can’t access online.
Is Public Wi-Fi Dangerous Enough to Warrant an Amazing ExpressVPN Infograph?
Yes. Yes it is.
More Insecure Than Your Ex – Public Wi-Fi Policies Revealed
Let’s see what we’re really agreeing to when we click I agree to the terms and conditions of free public Wi-Fi – then we’ll look at how best to protect yourself when connecting.
Surprisingly (OR NOT), many of the Wi-Fi terms and conditions we reviewed admit to being inherently insecure:
University of Colorado:
“Wireless access is by nature an insecure medium. As with most guest wireless networks, any information being sent or received over the CU-Boulder Guest wireless network could potentially be intercepted by another wireless user.”
Suddenlink’s Wi-Fi Zones in the United States:
“You acknowledge that the Service is inherently not secure and that wireless communications can be intercepted by equipment and software designed for that purpose.”
Broward County’s Downtown Wireless Network:
“The network access you are using is not private or secure.”
MidMichigan Health, which provides free Wi-Fi access to patients and visitors in the University of Michigan Health System:
“This is not a secure network. For your protection, we recommend that you not view or send sensitive information, such as financial, personal or proprietary information.”
Arqiva, which outfits airline lounges with Wi-Fi networks:
“You acknowledge that the transmission of information via the internet and via the Service is not secure.”
Tim Hortons, the great Canadian coffee chain:
“Your messages may be the subject of unauthorized third party interception and review.”
“The internet is an inherently unsecure communication medium. Whilst Melbourne Airport will use reasonable endeavours to provide secure access through this Hotspot, it cannot guarantee the security of the Hotspot at all times.”
Insecure networks are all kinds of bad. But hey—at least these guys are transparent about it, right?
Why Are Insecure Wi-Fi Networks Bad?
When you connect to free and unsecured public Wi-Fi any bystander can see what websites you’re loading and what programs you’re running. It’s like walking around with no clothes on inside a glass house.
Sometimes these bystanders can also see the contents of your activity. They know if you’re looking at anything that could potentially incriminate you — anything scandalous, unsavory, or political. And they can use this information against you.
With your data, malicious entities could:
- target you with elaborate phishing or hacking attacks
- blackmail you or your company
- impersonate you and steal your identity, causing you great financial damage
The attacker doesn’t even need to be sitting next to you to gain access to all of your data. All they have to do is hack the router you’re using and infect it with malware so they can spy on all traffic that routes through it.
More Invasive Than a Prostate Check At Walmart
But even if a network is properly maintained, free from viruses, and secured with the most advanced encryption technologies, network owners can access and analyze your information—and sell it to the highest bidder. Even worse, if network owners don’t properly secure your data after they’ve gathered it from you, then it’s very easy for hackers to steal it.
Let’s look at what they’re snooping on…
City and County of San Francisco:
“City may also collect information about the geographic locations of the City Wi-Fi nodes through which users connect to the Service.”
“By accepting these Terms and Conditions, you agree to Melbourne Airport collecting, holding and disclosing the following information: Location data at Melbourne Airport.”
“The Academy reserves the right to monitor and collect information while you are connected to the Service and that the collected information can be used at discretion of the Academy, including sharing the information with any law enforcement agencies, the Academy partners and/or the Academy vendors.”
Puerto Rico District Court:
“All communications over the Service may be subject to monitoring and should not be considered either private or protected.”
“Consent to monitoring. Panera and the third party provider reserve the right to […] (but are not required to) monitor your communications and activities via this service (including their content) during transmission.”
“Target has the right (but not the obligation) to monitor and/or screen your communications and activities via the Service during transmission and in connection with use of this Service.”
“We reserve the right to monitor and control data volume and/or types of traffic transmitted via the services.”
St. Elizabeth Healthcare in Northern Kentucky:
“We have the right, but not the obligation to monitor, intercept and disclose any transmissions over or using our Wi-Fi service”
Hong Kong Government Wi-Fi:
“Each User acknowledges and agrees that the Government will keep logs of activities on the Internet and browsing history of User.“
Okay, so these networks are monitoring information about your “locations”, “activities”, “communications”, and “transmissions”—otherwise known as metadata. Metadata is too vague to do any damage, right?
Why Is It Bad If Someone Has Your Metadata?
Let’s think about what metadata your network provider might collect from you:
- the unique identifier of your computer
- the websites you visit
- the services you use
- the duration of your online sessions
- the details about your precise location
Do you like the idea of being followed everywhere while you go about your day-to-day business? No? Then why are you using free Wi-Fi networks that do this?
Not only is this an enormous invasion of your privacy, all of this information is gold for advertisers and hackers alike. Marketers love keeping tabs on where you eat, where you shop, and who you travel with. It helps them target ads at you. Targeted ads = cha-ching!
And hackers can wreak a lot of havoc in your life with all the information they steal about you.
Picture this: a hacker who’s tapped into your network can watch you plan a trip overseas. They also know which security systems you have installed in your home. They can sell all this information to organized crime units specializing in break-ins. You’d better lock your jewels in a safe deposit box!
More Meddlesome Than Your Spinster Aunt
Ever wonder why the Internet you use on free public Wi-Fi is not the same as your Internet at home?
That’s because many Wi-Fi providers censor content in fear of lawsuits, unhappy parents, or other liabilities. So you might discover your favorite apps don’t work at all, and message boards or chat servers aren’t reachable.
Let’s look at how some Wi-Fi networks meddle with your Internet:
“Melbourne Airport may block or limit access to websites and/or content that Melbourne Airport considers are not “family friendly”
The Cloud, with over 22,000 hotspots in the UK:
“We may implement extended URL blocking to general categories of sites that may be deemed inappropriate for public environments or specific URLs for legal or contractual reasons. The type of site categories that may be blocked include those relating to:
- Drug use
- Offensive or illegal speech (ExpressVPN don’t understand how speech can ever be illegal)
- Network malfeasance
“You accept that Virgin Media has the right to restrict access to any inappropriate content on the service.”
Why Is it Bad to Block Porn and Drugs?
Some Wi-Fi providers want to block sites related to pornography and drugs. Fair enough — some people don’t like the Beatles, either.
But they don’t always stop there. What if they also block the websites of their competitors, or any content containing politically sensitive subject matter? Is it OK for them to control your Internet access like that? You might think you have nothing to hide, but does that give someone else freedom to invade your privacy?
Censorship sometimes affects completely uncontroversial websites and services too, if they happen to sit on the same server or have a similar address to the censored content.
Are you okay with your Wi-Fi provider meddling with your Internet like that?
The Nice Guys Amid the Jerks
Fortunately, not every Wi-Fi network vows to stalk and monitor you before selling the data to the highest bidder.
Here are some of the good guys:
City and County of San Francisco
“City does not store the content of any of online communications or data transfers.”
(remember, though: they collect location data)
“HJAIA does not screen or restrict access to any content placed on or accessible through the Internet. HJAIA also does not screen or restrict communications between parties via the Internet.”
“City of Darwin is committed to safeguarding personal privacy. It recognizes that individuals have a right to control how their personal information is collected and used.”
“Starbucks Coffee respects your right to privacy and will not capture any personal information while accessing the hotspot unless your consent is granted.”
The awesome people at Arqiva and Suddenlink not only spell out that free Wi-Fi is inherently insecure; they also share a neat fix with their users.
“We strongly encourage and support certain customer-provided security solutions, such as virtual private networks, encryption and personal firewalls.”
“We recommend that while using the Service you use an approved secure technology, for example virtual private networking (“VPN”) and/or a personal firewall, in particular where you intend to conduct personal or private business over the Service.”
If You’re Spreading It Around, Protect Yourself
If you connect to a free Wi-Fi hotspot use a VPN, a proxy service, or the Tor browser. While a proxy service might be the cheapest option, it doesn’t necessarily offer the same privacy protection as a VPN. It can also only handle http traffic and might be more difficult to set up. Tor arguably provides the strongest protection, but it can be slow or behave unexpectedly for the user.
A good VPN will make it impossible for the Wi-Fi operator or an attacker to learn about your identity or the sites you’re visiting. It also makes it significantly harder for them to hack into your computer or smartphone. In addition, a VPN lets you access content or applications that may be otherwise blocked.
Note, however, that third parties may still be able to map your movements around your location and connect your multiple visits to the network by looking at your MAC address, which is the unique ID of your network card.
If you don’t want to be tracked in this way, stick with an operating system that randomizes and anonymizes your MAC address, such as Tails and iOS.
The bottom line? Be wary about what networks to trust and take note of their policies and promises. It might be wise to route your traffic through the Tor network completely, or invest in a good VPN service you have carefully vetted.
Featured image: Rebecca Bradley
Would they be able to see or track your download history.
Yes, if you are downloading the file from a site over http, they can see what you are downloading from who. If the site is loaded over https (note the lock in the browser’s address bar), they can only see how big the file is, and who it comes from, but not what is in it.
Broward County’s website is probably a bad choice for you to cite in making your case for a VPN because they say “Broward County strongly recommends that you do not use this network for the transfer of sensitive data, such as credit card data or bank account data, even while using encryption.”
I don’t necessarily agree with their position that even a properly encrypted connection can be insecure, but if encryption is the very heart of VPN security then it doesn’t make much sense for you to refer readers to a site that specifically denies that encryption works.
Thanks for contacting us, Elroy. You can never be too safe with regards your online security. Policies can change, but it’s good to keep security issues at the forefront.
“The bottom line? Be weary…”
“Weary” means tired or exhausted. I think you meant “wary.”
You’re quite right. Thanks for pointing it out to us, we have changed it. Here’s a link to a funny cat video on YouTube, to show how grateful we are 🙂