# On Privacy Risks of Public WiFi Captive Portals

**Authors:** Suzan Ali, Tousif Osman, Mohammad Mannan, Amr Youssef

arXiv: 1907.02142 · 2019-07-05

## TL;DR

This study analyzes privacy risks associated with public WiFi hotspots, revealing extensive data collection and tracking practices that compromise user privacy even before consent is given, with long-term tracking capabilities.

## Contribution

It provides a comprehensive privacy analysis of 67 public WiFi hotspots, highlighting widespread data collection and persistent tracking behaviors often overlooked by users.

## Key findings

- Hotspots collect sensitive personal data via social login and registration forms.
- Persistent third-party cookies enable long-term user tracking, up to 20 years.
- Many hotspots share user data with third-party trackers, sometimes via unencrypted HTTP connections.

## Abstract

Open access WiFi hotspots are widely deployed in many public places, including restaurants, parks, coffee shops, shopping malls, trains, airports, hotels, and libraries. While these hotspots provide an attractive option to stay connected, they may also track user activities and share user/device information with third-parties, through the use of trackers in their captive portal and landing websites. In this paper, we present a comprehensive privacy analysis of 67 unique public WiFi hotspots located in Montreal, Canada, and shed some light on the web tracking and data collection behaviors of these hotspots. Our study reveals the collection of a significant amount of privacy-sensitive personal data through the use of social login (e.g., Facebook and Google) and registration forms, and many instances of tracking activities, sometimes even before the user accepts the hotspot's privacy and terms of service policies. Most hotspots use persistent third-party tracking cookies within their captive portal site; these cookies can be used to follow the user's browsing behavior long after the user leaves the hotspots, e.g., up to 20 years. Additionally, several hotspots explicitly share (sometimes via HTTP) the collected personal and unique device information with many third-party tracking domains.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1907.02142/full.md

## Figures

10 figures with captions in the complete paper: https://tomesphere.com/paper/1907.02142/full.md

## References

47 references — full list in the complete paper: https://tomesphere.com/paper/1907.02142/full.md

---
Source: https://tomesphere.com/paper/1907.02142