Login | Register

A Large-Scale Evaluation of Privacy Practices of Public WiFi Captive Portals


A Large-Scale Evaluation of Privacy Practices of Public WiFi Captive Portals

Ali, Suzan Ali Ahmad (2020) A Large-Scale Evaluation of Privacy Practices of Public WiFi Captive Portals. Masters thesis, Concordia University.

[thumbnail of Ali_MASc_S2020.pdf]
Text (application/pdf)
Ali_MASc_S2020.pdf - Accepted Version
Available under License Spectrum Terms of Access.


Open access WiFi hotspots are widely deployed in many public places, including restaurants, parks, coffee shops, shopping malls, trains, airports, hotels, and libraries. While these hotspots provide an attractive option to stay connected, they may pose security and privacy risks to users. Several past studies focused on privacy leakage from browsing the internet or using mobile apps in an open hotspot, due to the nature of these hotspots, and the use of HTTP, as opposed to HTTPS for connections between the user device and the web service. The US Federal Trade Commission (FTC) acknowledges those risks and advises public WiFi users to take reasonable measures while using such networks.
To complement previous efforts in analyzing security and privacy risks of using public WiFi hotspots, we design two comprehensive frameworks. The first framework (CPInspector) is designed to analyze the tracking behaviors and privacy leakage on public WiFi captive portals—where users typically agree to the hotspot’s terms or sometimes register before being allowed to access the internet. CPInspector performs a wide range of web tracking measurements on public WiFi captive portals for both Windows and Android; we must physically visit each hotspot and run the CPInspector on the hotspot captive portal. We also inspect the personal data collection practices of those hotspots and the security measures adopted to protect users’ information. Hotspots pose some unique risks due to their access to the users’ foot traffic, browsing habits, the device MAC address, and in certain cases, personal information such as name, email address, social media profile, location and employment history. Using CPInspector, we initially conducted a comprehensive privacy analysis of 80 public WiFi hotspot locations in Montreal, Canada. Our analysis reveals the collection of a significant amount of privacy-sensitive personal data through the use of social login (e.g., Facebook and Google) and registration forms, and many instances of tracking activities, sometimes even before the user accepts the hotspot’s privacy and terms of service policies. We also analyzed 98 hotspot locations in Montreal for ad injection, but we did not observe any content modification attempts. Next, we expanded our study to hotspots from other cities in Canada, Europe, and the US. We conducted a high-level comparative analysis of tracking behaviors of those hotspots (in total, 192 public WiFi hotspot locations; including Montreal hotspots). We conclude that some of our findings are indeed applicable to a larger geographical area, including the use of third-party trackers on captive portals and sharing the harvested data with third-party entities using third-party captive portals.
We use the second framework to analyze hotspots privacy policies and terms-of-use documentation which also discloses the service provider’s data and privacy practices. We augment our policy analysis using our collected hotspots’ datasets to validate selected privacy aspects of the public WiFi. We evaluated a sample of 16 privacy policy and TOS documents from hotspots that appear to be most risky in Montreal, Canada. Our analysis reveals many instances where the hotspot may appear to conform to privacy best practices according to its documentation but fail to implement necessary technical measures.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Ali, Suzan Ali Ahmad
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information Systems Security
Date:7 May 2020
Thesis Supervisor(s):Mannan, Mohammad and Youssef, Amr
Keywords:Privacy, security, wireless networks, public WiFi, hotspot, captive portal, tracking, privacy policy
ID Code:987023
Deposited By: Suzan Ali Ahmad Ali
Deposited On:25 Nov 2020 16:32
Last Modified:25 Nov 2020 16:32
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top