The Information Commissioner’s Office (ICO) has issued a warning over the security of free public Wi-Fi services in shops, hotels, stations and airports, following a review of providers.
The organisation zoomed in on sign-up processes to access public networks, looking chiefly at the amount and type of personal data requested.
It found a wide range of options currently in use in the wild, with some networks not requesting any personal data whatsoever, while others asked for far more.
In the most extreme case the ICO found one provider demanded a full name, postal and email address, mobile phone number, date of birth and gender. Only the gender question was optional.
Writing in a blog post on the ICO’s website, Simon Rice, group manager for the ICO technology team, said those Wi-Fi networks that did request personal data to access the service generally also processed said data for marketing purposes.
Some of them gave users the choice to opt out of electronic newsletters or updates, and others offered no choice at all in this matter.
It was also the case that those Wi-Fi networks who requested personal data, generally also processed this for marketing purposes too. Some provided users with the choice to receive electronic newsletters and updates, with either an opt-in, or opt-out tick box. Others offered no choice at all during the sign-up process – the only choice was to not use the service.
The ICO said the Data Protection Act (DPA) did not contain any obligation for Wi-Fi operators to force users to register or hand over personal data to use free services. The law states that such data can only be collected for specified purposes, and must be relevant, and not excessive. This said, specified purposes can include direct marketing.
Even so, the ICO’s own guidance on direct marketing emphasises that organisations must have consent from their users, which must be informed and freely given, which Rice pointed out was rarely the case, given such statements are often hidden in lengthy and barely read privacy policies.
The ICO recommended that users take the time to read any and all information given by providers before connecting to their Wi-Fi services. It is fully legal for them to ask for an email address, but they must be upfront about what they plan to do with it.
Rice said the ICO would discuss its findings with the relevant providers. “We have contacted the Wi-Fi network providers who were part of the review, to let them know of improvements they would need to make in their practices and if necessary we can take enforcement action to remedy breaches of the DPA or Privacy and Electronic Communications Regulations,” he wrote.
The watchdog also highlighted other security risks associated with using public Wi-Fi networks. All the providers it surveyed operated open networks, meaning they did not encrypt any traffic and there was therefore a risk it might be intercepted.
