How ‘free’ Wi-fi hotspots can track your lo­ca­tion

Simple steps can pro­tect your pri­vacy and lo­ca­tion data.


Be­fore you join the Wi-fi hotspot at your lo­cal cafe, you might want to make sure it won’t fol­low your foot­steps—lit­er­ally—af­ter you leave. Os­ten­si­bly “free” Wi-fi hotspots are in hun­dreds of thou­sands of busi­nesses and pub­lic spa­ces across the United States. They’re in shop­ping malls. In air­ports. In chain restau­rants. In lo­cal cafes. As a re­sult, it’s eas­ier than ever to get on­line. If your notebook or phone lacks a re­li­able data con­nec­tion, you can still con­nect to a hotspot. But this con­ve­nience of­ten comes at a price: your per­sonal data and pri­vacy.

When you use “free” Wi-fi, there’s a good chance it’s man­aged by a third-party provider—which gets you on­line in ex­change for your valu­able sign-on data. The sign-on in­for­ma­tion that hotspots re­quire will vary, but of­ten in­cludes your email ad­dress, phone num­ber, so­cial me­dia pro­file, and other per­sonal in­for­ma­tion. All can be used to tar­get you with ad­ver­tis­ing and gain in­sights on your habits.

As Emory Roane, pol­icy coun­sel at Pri­vacy Rights Clear­ing­house ( go.pc­world. com/pvrt), told Pc­world: “Read through the Wi-fi Terms of Use for any of these busi­nesses and you’ll al­most cer­tainly re­al­ize that there’s still no such thing as a free lunch.”

That’s prob­a­bly not a sur­prise to most Wi-fi hotspot users. But what might sur­prise you is that some hotspot providers are tak­ing data col­lec­tion a step fur­ther, and qui­etly tracking mil­lions of users’ where­abouts even af­ter they’ve left an es­tab­lish­ment. These hotspots are part of Amer­ica’s bur­geon­ing lo­ca­tion-based Wi-fi mar­ket­ing in­dus­try.

Pc­world spoke to pri­vacy experts and Wi-fi lo­ca­tion-an­a­lyt­ics com­pa­nies to learn more about how this tech­nol­ogy works, and what you can do to avoid be­ing tracked.


Pc­world re­viewed the pri­vacy poli­cies ( go. pc­ of a dozen Wi-fi hotspot providers and found that they com­monly ask users to agree to lo­ca­tion tracking when they sign on. Some phrases that tip off this prac­tice are “lo­ca­tion data,” “lo­ca­tion his­tory,” “your

lo­ca­tion,” “de­vice iden­ti­fiers,” and “MAC ad­dress” (more on this later).

We reached out to all of the Wi-fi com­pa­nies, but only two with ma­jor op­er­a­tions in the United States re­sponded to ques­tions about tracking hotspot users. These net­works, Zen­reach ( go. pc­ and Eu­clid ( go.pc­ ecld), log the lo­ca­tions of mil­lions of smart­phone and lap­top own­ers who pass within range of their hotspots— even when these peo­ple don’t sign on.

Ac­cord­ing to Zen­reach’s pri­vacy pol­icy, “Later, when the user’s de­vice re­turns to this client lo­ca­tion or en­ters the Wi-fi range of another Zen­reach router (of any Zen­reach client), we au­to­mat­i­cally rec­og­nize the de­vice and record the visit in our record for that de­vice.”

Ac­cord­ing to Eu­clid’s pri­vacy pol­icy, “Gen­eral Visit In­for­ma­tion is col­lected as your mo­bile de­vice moves across dif­fer­ent Lo­ca­tions that use our tech­nol­ogy.”

To give you an idea of a hotspot net­work’s scope, Zen­reach counts Peet’s Cof­fee, Five Guys, IHOP, and KFC among its larger clients, ac­cord­ing to its web­site ( go.pc­ znwb). KFC has nearly 4,500 lo­ca­tions na­tion­wide, so these net­works can span broad swaths of ur­ban ar­eas.


When you con­nect to pub­lic Wi-fi, you’ll usu­ally be greeted with a sign-in form, also known as a “cap­tive por­tal.” This is where you pro­vide per­sonal in­for­ma­tion and con­sent to terms of ser­vice to get on­line.

In the case of Zen­reach, “by click­ing ‘go on­line,’ you agree to our terms of use and pri­vacy pol­icy,” al­low­ing them to track your lo­ca­tion over time. Eu­clid is more ex­plicit, say­ing, “you agree to pro­vide this de­vice’s lo­ca­tion” next to where you can tick a box to con­sent.

What dis­tin­guishes lo­ca­tion-based mar­ket­ing hotspot providers like Zen­reach and Eu­clid from stan­dard third-party hotspot providers is that the per­sonal in­for­ma­tion you en­ter in the cap­tive por­tal—like your email ad­dress, phone num­ber, or so­cial me­dia

pro­file—can be linked to your lap­top or smart­phone’s Me­dia Ac­cess Con­trol (MAC) ad­dress. That’s the unique al­phanu­meric ID that de­vices broad­cast when Wi-fi is switched on.

As Eu­clid ex­plains in its pri­vacy pol­icy, “... if you bring your mo­bile de­vice to your fa­vorite cloth­ing store to­day that is a Lo­ca­tion—and then a pop­u­lar lo­cal restau­rant a few days later that is also a Lo­ca­tion—we may know that a mo­bile de­vice was in both lo­ca­tions based on see­ing the same MAC Ad­dress.”

MAC ad­dresses alone don’t con­tain iden­ti­fy­ing in­for­ma­tion be­sides the make of a de­vice, such as whether a smart­phone is an iphone or a Sam­sung Galaxy. But as long as a de­vice’s MAC ad­dress is linked to some­one’s pro­file, and the de­vice’s Wi-fi is turned on, the move­ments of its owner can be fol­lowed by any hotspot from the same provider.

“Af­ter a user signs up, we as­so­ci­ate their email ad­dress and other per­sonal in­for­ma­tion with their de­vice’s MAC ad­dress and with any lo­ca­tion his­tory we may pre­vi­ously have gath­ered (or later gather) for that de­vice’s MAC ad­dress,” ac­cord­ing to Zen­reach’s pri­vacy pol­icy.

This can re­veal a de­tailed pro­file of some­one’s daily habits. Where they shop, where they live, and what places they fre­quent at cer­tain times could be laid bare by this data.

Stacey Gray, pol­icy coun­sel at the Fu­ture of Pri­vacy Fo­rum ( go.pc­, told

Pc­world that as­so­ci­at­ing a MAC ad­dress with some­one’s move­ments be­tween lo­ca­tions re­veals “highly sen­si­tive” in­for­ma­tion.

“An­a­lyz­ing MAC sig­nals from mo­bile phones can be valu­able for re­tail­ers and oth­ers to cal­cu­late wait times, un­der­stand peak ver­sus off-hours, or as­sign staff,” Gray said. “How­ever, lo­ca­tion data is highly sen­si­tive when linked to an in­di­vid­ual over time and across venues.”

Nei­ther Eu­clid or Zen­reach would pro­vide Pc­world with ex­act fig­ures on how many peo­ple’s data they’re col­lect­ing. But Eu­clid claims more than 120 mil­lion monthly ac­tive de­vices ( go.pc­ glob­ally and told Pc­world that the ma­jor­ity of its users are in the United States. Zen­reach also told Pc­world that most of its hotspots are in the United States. It’s also the most well-funded of the lo­ca­tion an­a­lyt­ics com­pa­nies, hav­ing raised $80 mil­lion for a $210 mil­lion val­u­a­tion as of March 2017, ac­cord­ing to Crunch­base ( go.pc­

When asked to re­spond to peo­ple who might find Wi-fi lo­ca­tion tracking in­va­sive, Zen­reach co­founder Kai Umezawa high­lighted the con­ve­nience, point­ing out how his com­pany makes it easy to get on­line.

“Af­ter cus­tomers log in to the Wi-fi at a mer­chant lo­ca­tion, we can rec­og­nize that de­vice at any Zen­reach net­work lo­ca­tion,” Umezawa said. “The ben­e­fit for users is oneclick ac­cess to Wi-fi in any of these lo­ca­tions.”

All the hotspot providers Pc­world re­viewed say they take data se­cu­rity se­ri­ously. A Eu­clid spokesper­son said the com­pany im­me­di­ately anonymizes col­lected lo­ca­tion data by “de-per­son­al­iz­ing” or “hash­ing” it in non-hu­man read­able for­mat when stored. That said, Eu­clid still pro­cesses and pro­vides iden­ti­fi­able data to busi­nesses on some­one’s vis­its be­tween var­i­ous lo­ca­tions they own.

Zen­reach didn’t re­spond to mul­ti­ple emails ask­ing if they anonymize per­sonal data col­lected over Wi-fi, and the com­pany’s pri­vacy pol­icy makes no men­tion of do­ing so.

How the data is used dif­fers from provider to provider, and where it might end up is another ques­tion en­tirely. Many prom­ise never to share it. Oth­ers have more opaque poli­cies, or, in the case of Zen­reach, may

out­right share data with clients, af­fil­i­ates, and other third par­ties. Eu­clid may also share data with ad­ver­tis­ers, but only in “hashed” form.


If you’re con­cerned about data be­ing col­lected by free Wi-fi hotspots, there are some simple steps you can take to pro­tect your per­sonal in­for­ma­tion.

Don’t use “free” Wi-fi: The most ob­vi­ous solution to pro­tect­ing your data from free Wi-fi net­works is not to use them at all. Al­ter­na­tives in­clude us­ing the data ser­vices from your cel­lu­lar provider, or sign­ing up for a more se­cure hotspot ser­vice like Boingo ( go. pc­

Dis­able Wi-fi when you’re not us­ing it: En­abling Wi-fi lets these hotspots track you (and also drains your bat­tery faster). There’s re­ally no rea­son to keep your Wi-fi on un­less you need to con­nect.

Read the pri­vacy pol­icy: It’s tempt­ing to skip read­ing the pri­vacy pol­icy, but if you take a few min­utes to do so, you can learn how the Wi-fi ser­vice is col­lect­ing your data and where it might end up. Key­words to look for are “MAC ad­dress,” “lo­ca­tion,” “col­lect,” and “share.”

Opt-out of lo­ca­tion tracking and delete your data: Lo­ca­tion an­a­lyt­ics com­pa­nies let you opt-out of lo­ca­tion tracking and delete your data, though some opt-outs are eas­ier than oth­ers. How to opt out can be found in a pri­vacy pol­icy. You’ll be given a chance to re­view the pol­icy be­fore you sign in to a cap­tive por­tal, or you can find it on the hotspot provider’s web­site.

You’ll need to get your MAC ad­dress to opt out of any lo­ca­tion tracking. On an iphone, you can find it un­der Set­tings > Gen­eral > About, where it’s listed as your Wi-fi Ad­dress. On An­droid, tap the menu key and go to Set­tings > Wire­less & Net­works or About De­vice. Press the menu key again and hit Ad­vanced, and then you should see your de­vice’s MAC ad­dress.

You can then pro­vide your MAC ad­dress to opt out of many, but not all,

lo­ca­tion-tracking ser­vices through the Fu­ture of Pri­vacy Fo­rum’s Smart Places web por­tal ( go.pc­ This is a one-stop shop many lo­ca­tion an­a­lyt­ics com­pa­nies work with vol­un­tar­ily. (Com­pa­nies should say in their pri­vacy poli­cies if they’re as­so­ci­ated with the Fu­ture of Pri­vacy Fo­rum.)

Not all lo­ca­tion an­a­lyt­ics com­pa­nies are as­so­ci­ated with the Smart Places web por­tal, in­clud­ing Zen­reach. In these cases, you’ll need to find a Wi-fi hotspot provider’s email in its pri­vacy pol­icy and con­tact the com­pany di­rectly with your MAC ad­dress on hand. You should be able to re­quest to opt out, re­ceive the data they have on you, and have it deleted. See the screen­shot be­low from Zen­reach’s pol­icy:

Ran­dom­ize your MAC ad­dress on An­droid: Since ver­sion P, An­droid has added a fea­ture that al­lows you to ran­dom­ize your smart­phone’s MAC ad­dress to im­prove pri­vacy. This lets you gen­er­ate a new MAC ad­dress for ev­ery Wi-fi hotspot you con­nect to, ef­fec­tively stop­ping these com­pa­nies from tracking you. You can switch on MAC ran­dom­iza­tion un­der De­vel­oper Op­tions.

There’s no need to go through a sim­i­lar process on iphones and ipads run­ning IOS 11 and up, which au­to­mat­i­cally ran­dom­ize their MAC ad­dress when scan­ning for Wi-fi.

“Be­cause a de­vice’s MAC ad­dress now changes when dis­con­nected from a Wi-fi net­work, it can’t be used to per­sis­tently track a de­vice by pas­sive ob­servers of Wi-fi traffic, even when the de­vice is con­nected to a cel­lu­lar net­work,” ac­cord­ing to Ap­ple’s IOS Se­cu­rity Guide ( go. pc­

How­ever, Ap­ple also says “Wi-fi scans that hap­pen while try­ing to con­nect to a pre­ferred Wi-fi Net­work aren’t ran­dom­ized,” mean­ing a hotspot a de­vice has con­nected to pre­vi­ously will be able to de­tect the

de­vice’s ac­tual MAC ad­dress.

Don’t sign in with so­cial me­dia: It may be con­ve­nient and quicker to sign in with Face­book, Twit­ter, or Linkedin, but it’s also ideal for data harvesters. Your so­cial pro­file, es­pe­cially your Face­book “likes,” re­veals a wealth of in­for­ma­tion about you.

A study pub­lished in 2015 by the Na­tional Academy of Sciences ( go.pc­world. com/nasc) found that it takes just 10 Face­book “likes” for a com­puter model to know your per­son­al­ity bet­ter than a col­league does. In a pre­vi­ous 2013 study by the same re­searchers, also pub­lished by the NAS ( go.pc­, the sci­en­tists used Face­book “likes” to pre­dict whether some­one was black or white with 95-per­cent accuracy, male or fe­male with 93-per­cent accuracy, gay or straight with 88-per­cent accuracy, and Demo­crat or Re­pub­li­can with 88-per­cent accuracy.


Un­like the United States, the Euro­pean Union re­stricts in­di­vid­ual, pro­file-based lo­ca­tion tracking via Wi-fi hotspots un­der the Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR; go.pc­, which went into ef­fect in May, 2018.

GDPR con­sid­ers de­vice iden­ti­fiers like MAC ad­dresses “in­di­vid­u­ally iden­ti­fi­able in­for­ma­tion,” en­ti­tling peo­ple with rights to have their per­sonal data pro­cessed se­curely and deleted, and re­quir­ing ex­plicit user con­sent in the cap­tive por­tal for lo­ca­tion tracking.

“Ex­act lo­ca­tion is con­sid­ered as very sen­si­tive in­for­ma­tion across Europe. Com­pa­nies tracking user lo­ca­tion need to, among oth­ers, pro­vide eas­ily un­der­stand­able no­tice and ob­tain ex­plicit user con­sent,” Alja Poler De Zwart ( go.pc­, Eu-based pri­vacy and data at­tor­ney at law firm Mor­ri­son Fo­er­ster, told Pc­world.

“Com­pa­nies who do not abide by these rules, risk reg­u­la­tory en­force­ment ac­tion, in­clud­ing the GDPRstyle fines,” Poler De Zwart added.

Nether­lands-based Spo­ton ( go.pc­world. com/sp0t) Wi-fi, a hotspot provider

op­er­at­ing mostly in Europe, with some busi­ness in the United States, im­me­di­ately anonymizes MAC ad­dresses it as­so­ciates with per­sonal info to com­ply with GDPR.

“With­out as­so­ci­at­ing a MAC ad­dress to a so­cial pro­file we wouldn’t be able to pro­vide seam­less roam­ing be­tween cloud­based ac­cess points or cre­ate email cam­paigns that tar­get guests with more than X vis­its,” Niek Gi­ave­doni, found­ing di­rec­tor of Spo­ton Wi-fi, told Pc­world.

Gi­ave­doni con­firmed that the abil­ity to track iden­ti­fied users via their de­vices is present in Spo­ton Wi-fi’s sys­tems and other Wi-fi net­works, but he said it would be a pri­vacy vi­o­la­tion to track the lo­ca­tions of in­di­vid­ual pro­files through Wi-fi in the EU.

“We are very much aware of the tech­ni­cal pos­si­bil­i­ties, the com­peti­tors that use it, and pri­vacy con­cerns that come along with it,” he said.

Sim­i­lar re­stric­tions could make their way to the United States.

Gov­ern­ment of­fi­cials are grap­pling with how to safe­guard per­sonal data in the wake of Face­book’s Cam­bridge An­a­lyt­ica scan­dal ( go. pc­, cre­at­ing an op­por­tu­nity for Eu-like con­straints on Wi-fi lo­ca­tion tracking to en­ter law. U.S. Sen­a­tors Richard Blu­men­thal (D-CT) and Ed­ward Markey (D-MA) are work­ing on a fed­eral “pri­vacy bill of rights” to pro­vide peo­ple with more pro­tec­tions and con­trols over data given over the web. Their of­fices didn’t re­spond to ques­tions about their po­si­tions on Wi-fi lo­ca­tion tracking in time for pub­li­ca­tion.

States are tak­ing ac­tion, too. Cal­i­for­nia passed a sweep­ing pri­vacy bill ( go.pc­world. com/b375) in June that goes into full ef­fect in 2020. The bill guar­an­tees Cal­i­for­ni­ans the right to know what data is be­ing col­lected about them and whether it’s be­ing sold or dis­closed, and to refuse the sale of their

per­sonal in­for­ma­tion.

“Unique per­sonal iden­ti­fiers” are among the data types the bill cov­ers, which in­clude MAC ad­dresses. But the rights the bill guar­an­tees Cal­i­for­ni­ans are of­ten al­ready of­fered by com­pa­nies vol­un­tar­ily, and the bill still doesn’t re­strict the lo­ca­tion tracking that com­pa­nies like Zen­reach and Eu­clid em­ploy.

Wi-fi pri­vacy reg­u­la­tions have ac­tu­ally taken a step back­ward at the fed­eral level since the elec­tion of pres­i­dent Don­ald Trump, for­mer Fed­eral Com­mu­ni­ca­tions Com­mis­sion (FCC) staffer Marc S. Martin told Pc­world.

“One of the first acts by the Repub­li­can­con­trolled Congress and the Trump ad­min­is­tra­tion shortly af­ter the pres­i­dent was in­au­gu­rated was to rely on the Con­gres­sional Re­view Act to re­peal the FCC’S Broad­band Pri­vacy Rules,” said Martin, cur­rently a part­ner at law firm Perkins Coie ( go.pc­

“Fol­low­ing that step, the Trump ad­min­is­tra­tion FCC re­pealed the FCC’S 2015 net neu­tral­ity rules,” he added.

Martin said be­cause of these two re­peals, there are cur­rently “no pre­scrip­tive fed­eral pri­vacy rules or reg­u­la­tions gov­ern­ing Wi-fi ser­vice providers in the United States.”

“It will take a new act of Congress, signed by the Pres­i­dent, to adopt any new fed­eral pri­vacy rules gov­ern­ing pub­lic Wi-fi ser­vice providers,” Martin said.

Eu­clid tells busi­nesses the lo­ca­tion a cus­tomer vis­its the most and how likely they are to visit again.

These tem­plates from Zen­reach’s cap­tive por­tal builder show you how a Wi-fi hotspot’s sign-in form can ap­pear.

Eu­clid’s cap­tive por­tal notes they track lo­ca­tion.

This panel from Eu­clid shows some of the data avail­able to busi­nesses on a cus­tomer trav­el­ing be­tween their venues.

Zen­reach lets busi­nesses send au­to­mated emails based upon how many times a cus­tomer has vis­ited.

Like in the case of Zen­reach’s pri­vacy pol­icy, you can usu­ally find the email ad­dress for opt­ing out of lo­ca­tion data col­lec­tion at the end of a com­pany’s pri­vacy pol­icy.

You can take steps to pro­tect your data while us­ing ‘free’ Wi-fi hotspots.

Since 2018, the 28 mem­bers of the EU have tight­ened their data and pri­vacy laws.

Cal­i­for­nia is the first state to pass its own data pri­vacy bill, which will go into full ef­fect in 2020.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.