Sophos Cloud Optix
How much would you ‘pay’ for ‘free’ Wi-Fi?
Would you give away your birthday? Your travel details? Your home address? Your phone number?
Well, a couple of weeks ago, a security researcher in the UK was looking around online, as you do…
…when he came across yet another company that had joined the 100 million club.
That’s the name we jokingly coined – we hoped we were making a joke at the time, though we quickly realised we weren’t – back in 2013 when Adobe infamously suffered a breach that exposed 150,000,000 encrypted password records in one go.
Despite the encryption – which Adobe hadn’t gone about in the right way – a significant minority of the passwords in the list could be figured out. (Adobe had stored the password hints in plaintext, and lots of users had just repeated their passwords in the hint field, as absurd as that sounds.)
Big breach society
Back then, we rather naively assumed that membership of this notional “100 million club” would remain thankfully rare.
But the low cost and ready availablity of cloud storage has, sadly, made it easier than ever for just about anyone to leak just about as many records as they care to share.
And that’s what seemed to have happened in the case that Jeremiah Fowler of Security Discovery stumbled upon in mid-February 2020.
Although the data, 146 million records’ worth of it, didn’t include deeply sensitive details such as as passwords (or even password hashes), payment card details or financial transactions, Fowler could see what looked like travel details in there.
He quickly tracked the source back through domain names in the data to a company that turns out to operate ‘free’ Wi-Fi’ hotspots, including at a number of train stations in England.
The company reacted quickly to Fowler’s report by sealing off the data it had accidentally exposed in the cloud – though it didn’t tell Fowler, leaving him to worry that his report wouldn’t get looked at until the following week.
So, why would anyone want to worry about 146,000,000 database entries relating to free Wi-Fi users connecting to a free Wi-Fi service?
The problem is, of course, that – in the UK at least – ‘free’ Wi-Fi seems to divide into two categories.
There’s ‘free if you come into the coffee shop and buy something, here’s the password, help yourself, no need to register, and why not try the carrot cake while you’re about it, you will like it more than you think‘ (true).
And there’s the ‘free in return for a bunch of personal data that will help us market to you in a way that makes your retail/station/airport experience so much more enjoyable‘ (not-so-true).
The problem with the second sort of ‘free’ Wi-Fi is that the company that’s giving you the ‘free’ service can only really make money out of it – by which we mean that they can only make you pay for it – if they keep track who you are and what you do when you connect.
That’s why Fowler found all sorts of scammer-friendly information logged in the records of the database he came across, including names, email addresses, age ranges and device data of users of the service.
As Fowler remarks:
In this case anyone with an internet connection could see what station the user was at, a time stamp, ads they may have seen, the postcode where they live and much more. Every little piece of information is essentially a puzzle piece that can be used to paint a bigger picture of the user.
So, just how much personal data should you give away in return for a ‘free’ service such as Wi-Fi?
In an era of affordable mobile data – especially in the UK, where pay-as-you-go SIM cards are cheap and can be bought without much fuss at just about any supermarket checkout – do you even need free-as-in-paid-for-indirectly Wi-Fi at all?
What to do?
Here’s an idea: sit down one evening, decide how much your various items of personal data are worth to you, and then stick to your valuation whenever you hit an online sign-up page.
For example, in our opinion, your age in general and your birthday in particular – still treated as a factor of identification by many organisations – is worth too much to hand over in return for free Wi-Fi, even though it’s a data point many Wi-Fi services seem to want.
If a company demands data that you think is worth more to them than you are getting in return, our advice is simple: “Stay away.”
After all, if they don’t value your data as highly as you do, there’s not much incentive for them to look after your data with the zeal you might expect.
Incidentally, it seems that in this case, the Wi-Fi provider did offer a “don’t want to give you that data” option during sign-up, and that would have been the wise choice.
Remember: you don’t have to fill in optional fields in web signup forms, and life is a lot simpler if you routinely leave them blank.
After all, if you don’t hand over data in the first place, there’s no way the company at the other end can ever lose it in a data breach.
I always put in a fake email address
we have a hacker right here ^
Why not just give fake data?
On purely ethical grounds, if the provider’s terms and conditions prohibit the use of fake data, you simply shouldn’t use fake data. (Two wrongs don’t make a right.)
If you don’t like their T&Cs, then you shouldn’t accept the T&Cs at all, as a matter of principle. And you certainly shouldn’t accept them under false pretences – you’re then supporting the provider’s cause (because you are now officially a signed-up user who adds to the count of people who find the T&Cs acceptable). Wny not stand up and be counted by not using their service at all?
Deciding you refuse to accept the T&Cs but then sneakily accepting them anyway is a bit like those people who pirate music from an artist they think is so rich and greedy already that “they don’t need or deserve any more money”. If you reject the artist, you should be downloading legal, free indie music instead so the artist you disapprove of doesn’t get your approval in any form.
Nothing here about not using fake data :
https://www.gwr.com/plan-journey/journey-information/on-board/wifi-on-board/wifi-terms-and-conditions
True.
Of course, the fact that you don’t put in real data doesn’t mean it *isn’t* you – and it doesn’t mean that you aren’t going to be tracked anyway. The Wi-Fi will still be accumulating data and habits and mapping them to your device… presumably including sites it blocked you from getting to.
1 unethical hacker disliked this comment.
Also, you don’t have to tell the truth.
If the T&Cs say you have to tell the truth, then, basically, you do. You can’t lie just because it’s a convenient way for you to get and use something you don’t approve of while hiding that you don’t approve of it. (Because even though you fill in garbage data, you are still agreeing to the T&Cs.)
For me it’s not a case of disagreeing to the T&Cs but a case of who has the time to read these for every site that you visit? I’m fed up of encountering Cookies Acceptance messages on every single site (most of us have just accepted this as a habit to quickly accept so we can get on with accessing the website). A lot of websites don’t even have the option to say “No” but allow you to change Cookies settings which means reading through pages and pages of options. It’s a ridiculous situation.
To be fair, there aren’t *that* many ‘free-but-not-that-free’ Wi-Fi providers left, so it’s not quite like reading T&Cs for every website.
My approach has been to avoid any free Wi-Fi provider that requires you to sign up (and therefore tracks you every time you reconnect to their service somewher else in the country), and to let that determine where I spend my money while out and about, too.
This also very often has the splendid side-effect of keeping me out of franchised coffee shops, so I get faster, simpler wireless access and a more vibrant range of coffees. (My local coffee shop tends to favour Great Lakes and Ethiopian coffee, which suits me fine. Even though I doubt I could tell a Ugandan bean from a Javanese one in a truly scientific test 😉
Have clickthrough T&Cs agreements ever actually been tested legally? I have a vague recollection from years back that it had been generally decided that they’re unenforceable (in fact, you haven’t agreed to them even if you check the box) because no contract can be formed in such a way. Has that changed? And what if you edit the text and then click to agree to that? “I just made a counter-offer, and your website/software accepted it on your behalf. You can’t have it both ways.”
Nice glider BTW.
Yep, I also always use a fake (but valid) email address.
If it *actually works*, then it can’t really be fake – either it’s a temporary email address that you set up (whether you think it is traceable to you or not), or you made up an email address that belongs to someone else. Even if you assume it’s not in use, you really shouldn’t use other people’s domains or usernames.
duck@bounce.example.com usually works well for me 🙂
Indeed, example DOT com is explicitly listed in the RFCs as “can be used for example” (along with example DOT org, example DOT net, DOT example, DOT test and DOT invalid).
AFAIK, the example DOT com domain is operated by ICANN and its web server is a public service that just says, “This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.”
IIRC, example DOT com used to run a mail server, too, that accepted mail but told your mail client that it was “just an example”. That server no longer seems to listen on port 25… maybe it became too much hassle to keep it going?
Paul Ducklin nailed it all the way and this post is super helpful.
Maybe set up a sub-inbox in your gmail account with the plus sign like “myusername+airportjunk@gmail.com” or create a “promotions” email account that you *might* get to someday. I think putting false information in any computer system in fact does do more harm than good. Collectively (as in millions of people doing the same thing, like littering) there is a backlash in terms of higher economic and environmental strain on the entire internet ecosystem. Users and providers need to all be above board. If a provider is doing something the users don’t like, it doesn’t justify underhanded acts on the part of the user. My 2¢.
Outlook DOT com also allows plus signs in email addresses.
For those not familiar, email to “name PLUS tag AT example DOT com” will be delivered to the account “name”, but the address will be treated as new by most online services, and will obviously show up as different (and thus be self-documenting as to original source) when it arrives.
Works with Gmail aswell.
If find that many hotels/hotel chains try to make a quick buck with Wifi, asking you to sign your life away, I’ve actually read through some of the TCs. In most places I prefer to use my mobile data. When rating the hotel on their website / tripadvisor etc, I make a strong point about it. I stayed at the Comfort Inn at Gardemoen airport in Norway, their WiFi was free and there were no catches, nothing to sign, 100 MBPS up and down, so if they can do it, why can’t the others?
Wait that wifi isn’t just included in the price of the room?! I figured that staying in a hotel meant paying for ALL available amenities not in the shop.
In the UK, some hotels have free Wi-Fi throttled to speeds that make things like watching videos a waste of effort, or faster access for a daily fee.
I never use WiFi other than that provided for by my ISP. I don’t have a cell phone and both of my laptops connect to the internet via usb cable.
If at Starbucks that now requires an email, certainly use a temporary email, but I would go a step further as a practical matter due to some of sensitive material I handle and expectation I keep private information – private. Use a VPN after connecting to free WiFi and use a scrubbing utility that will permanently erase your browsing history and other data your computer leaves an electronic footprint for anyone to find if they want to. Security and privacy go hand-in-hand in my view, take them both seriously. Best, Darren Chaker