Free Wi-Fi – but it’ll cost you your privacy

Citizens asked to trade their privacy for free WiFi

Free WiFi. Image courtesy of ShutterstockThe UK city of York plans to roll out, citywide, the sweet, sweet candy of free Wi-Fi.

All you have to do to get it is to roll over and expose your personal data’s tender underbelly.

After that, just sit back, buckle up, and let the marketing blitz begin!

In an interview with the BBC, Roy Grant, CIO for the City of York Council, said that the free service has only been up and running for a few weeks, but already, his team can discern such choice data nuggets as:

  • Who’s using the Wi-Fi;
  • Where they’re coming from, in terms of origin; and
  • Where they’re going.

Businesses are already getting a better insight into footfall, he said – as in, how much time do you and your MAC address-leaking mobile phone spend in front of discounted tube socks, for example, and do you or do you not head to the gym shortly thereafter?

MAC addresses – or Media Access Control addresses – are unique, factory-set IDs in devices that connect to networks.

They can be tinkered with via software, but generally they’re not, so they’re stable enough to be thought of as a permanent ID that lasts for the lifetime of the device.

When your phone has Wi-Fi switched on, it will search for Wi-Fi networks: a process that involves sending a wireless broadcast that includes the device’s MAC address.

Naked Security’s Mark Stockley does a fine imitation of the process’s blabbiness:

*ping* *ping* *ping*. *track me* *track me* *track me* ... weeks pass ... *ping* *track me again*

This all happens even if you don’t actually join a network.

Businesses in the US are already using such data to build shopper profiles.

Such profiles have enabled things such as, for example, when one owner of an Asian restaurant tracked customers’ movements, discerned that many went to a gym, and ordered workout tank-tops with his restaurant’s logo.

All that’s done with anonymous, aggregate information. Likewise, there’s plenty that York and its Wi-Fi providing partner, Purple WiFi, can do with whatever they sniff from phones when people wander by.

For example, Purple WiFi CEO Gavin Wheeldon told the BBC, a city like York could save electricity by turning off lights in areas where (mobile phone carrying) people don’t go.

(Presumably, people who don’t own mobile phones will be encouraged to evolve quickly in the direction of bat-like sonar.)

But wait, there’s more!

While “there’s a value in understanding how devices move around,” meaning that even anonymous data “is useful”, Wheeldon said, things get a lot more interesting when people sign in for the free Wi-Fi and thereby part with the information Purple WiFi looks forward to collecting in exchange, including:

  • your age,
  • your gender,
  • your social interests, and
  • who your friends are in the city.

With that data in hand, Wheeldon said, Purple WiFi can push “hyper-relative info.”

Hyper-relative info could be translated, of course, into precision targeted marketing.

Even in the early stages of the rollout, York businesses can already look forward to marketing at middle-aged females from outside the UK, which make up the “vast majority” of people logging in, Grant said.

Even if people don’t log in, Purple WiFi plans to keep location data on devices it tracks without users’ authorisation for up to a year.

That means they’ll know where you’ve been for the past 12 months.

Correction: Wheeldon pointed out that the City of York and his company won’t be tracking you, per se – rather, it will just be tracking “a device”.

That tune should sound very familiar.

It’s a classic: it’s the “when we slurp your Wi-Fi data, we’re only collecting anonymised, aggregate information” ditty.

That’s what retailers such as Nordstrom and spying trash bin company Renew said about their Wi-Fi sniffing efforts.

In August 2013, the City of London actually told the Wi-Fi enabled rubbish bin company to stop tracking passersby.

The collection of anonymous data through MAC addresses is legal in the UK, though it exists in a grey area.

That’s because the UK and the EU have strict laws about mining personal data using cookies – small bits of data sent from a website that can be used to uniquely identify people and then monitor their behaviour across different websites.

Under UK and EU law, companies that want to use cookies to track us in the virtual world must gain our consent to do so.

However, no such consent is required by UK and EU law to track us in the real world using our devices’ MAC addresses.

As far as the US goes, October 2013 saw the emergence of a “code of conduct” (PDF) for mobile marketing firms which they themselves agreed to (note, however, that the retailers who want to use data for marketing purposes didn’t actually show up at the code’s unveiling).

Mobile phone. Image courtesy of ShutterstockThe code of conduct stipulates that shoppers should clearly know when they’re being tracked through their phones in stores and will receive instructions for opting out.

(It’s worth noting that some don’t like the notion of being tracked even if the data is anonymised, nor should they.)

(As cases such as that of AOL’s search data leakage and others have shown, making data truly anonymous is hard, and leaked data that isn’t quite anonymous enough cannot be un-leaked.)

Informed consent information is contained in the terms and conditions that users of York’s free Wi-Fi have to accept before they can log on.

That would be the same type of long, legalistic terms and conditions statements that we all read so thoroughly before we click OK on services such as Facebook.

Or not.

From the BBC interview:

BBC Click's Spencer Kelly: How many people have ever read Facebook's terms and conditions?

Wheeldon: I don't think people do.

Grant maintains that the terms and conditions go far enough.

There is no option to opt out from having MAC addresses recorded when joining the Wi-Fi. Nor does Grant think there should be:

There's a cost to put in the equipment, to provide connectivity, the overlay of software, and it's a fair exchange of data. You want free Wi-Fi and don't want to use your data. The exchange of value is that you're going to share that data.

Don’t speak English? ¿No hablan Inglés? 不会说英语? Ekki tala ensku?

According to Purple WiFi, York attracts 7 million visitors per year, 2 million of whom are Chinese.

Eso no es un problema! Purple WiFi is multilingual, so there’s no way the non-English-speaking will slip through marketers’ tight grip.

If you don’t want to share that data – either by opting in to the free Wi-Fi or having it sucked out of your phone as you wander by – here are some privacy tips to block snoopers that Naked Security’s John Zorabedian recently shared:

Wi-Fi privacy tips:

  • Turn off Wi-Fi and Bluetooth when you’re not using it. You can also use “flight mode” (although you won’t be able to receive calls in flight mode).
  • Your apps such as Facebook, Twitter and Instagram use geo-tagging. Turn geo-tagging off if you don’t want to give away your location.
  • Don’t accept prompts to remember Wi-Fi networks – if you automatically connect to networks, you could leave yourself vulnerable to Wi-Fi sniffers, including marketing location analytics firms but also spies or criminals, who can see who you are and track you. An attacker could also create a network with the same name and use it to launch a Man-in-the-Middle attack.
  • Encrypt your devices and data. You should always use a VPN (virtual private network) for a secure connection when you sign on to an open Wi-Fi network.
  • Make sure you’re using WPA2 encryption on your wireless networks. Don’t use the outdated WEP or WPA encryption protocols.
  • Download the free Sophos UTM Home Edition. It comes with a VPN for both iOS and Android.

Image of free WiFi sign and mobile phone courtesy of Shutterstock.